* [bitcoin-dev] Opinion on proof of stake in future
@ 2021-05-07 17:17 SatoshiSingh
2021-05-07 23:04 ` Eric Voskuil
` (3 more replies)
0 siblings, 4 replies; 67+ messages in thread
From: SatoshiSingh @ 2021-05-07 17:17 UTC (permalink / raw)
To: bitcoin-dev
Hello list,
I am a lurker here and like many of you I worry about the energy usage of bitcoin mining. I understand a lot mining happens with renewable resources but the impact is still high.
I want to get your opinion on implementing proof of stake for bitcoin mining in future. For now, proof of stake is still untested and not battle tested like proof of work. Though someday it will be.
In the following years we'll be seeing proof of stake being implemented. Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's how I see this the possibilities:
1 - Proof of stake isn't a good enough security mechanism
2 - Proof of state is a good security mechanism and works as intended
IF PoS turns out to be good after battle testing, would you consider implementing it for Bitcoin? I understand this would invoke a lot of controversies and a hard fork that no one likes. But its important enough to consider a hard fork. What are your opinions provided PoS does work?
Love from India.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-07 17:17 [bitcoin-dev] Opinion on proof of stake in future SatoshiSingh
@ 2021-05-07 23:04 ` Eric Voskuil
2021-05-08 14:33 ` Karl
2021-05-07 23:19 ` Jeremy
` (2 subsequent siblings)
3 siblings, 1 reply; 67+ messages in thread
From: Eric Voskuil @ 2021-05-07 23:04 UTC (permalink / raw)
To: SatoshiSingh, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1428 bytes --]
https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
> On May 7, 2021, at 15:50, SatoshiSingh via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of bitcoin mining. I understand a lot mining happens with renewable resources but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin mining in future. For now, proof of stake is still untested and not battle tested like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented. Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider implementing it for Bitcoin? I understand this would invoke a lot of controversies and a hard fork that no one likes. But its important enough to consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 2012 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-07 17:17 [bitcoin-dev] Opinion on proof of stake in future SatoshiSingh
2021-05-07 23:04 ` Eric Voskuil
@ 2021-05-07 23:19 ` Jeremy
2021-05-08 2:40 ` honest69abe
2021-05-08 13:44 ` Eric Martindale
2021-05-10 14:08 ` Erik Aronesty
3 siblings, 1 reply; 67+ messages in thread
From: Jeremy @ 2021-05-07 23:19 UTC (permalink / raw)
To: SatoshiSingh, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2381 bytes --]
Proof-of-stake tends towards oligopolistic control, which is antithetical
to bitcoin.
Proof-of-stake also has some other security issues that make it a bad
substitute for Proof-of-work with respect to equivocation (reorgs).
Overall you'll find me *personally* in the camp that it's OK to explore
non-PoW means of consensus long term that can keep the network in consensus
in a more capital efficient manner, but that proof-of-stake is not such a
substitute. Other Bitcoiners will disagree with this invariably, but if you
truly have a novel solution for Byzantine Generals, it would be a major
contribution to not just Bitcoin but the field of computer science as a
whole and would likely get due consideration.
What's difficult is that Bitcoin PoW has some very specific properties that
may or may not be desirable around e.g. fairness that might be difficult to
ensure in other systems, so there is probably more to the puzzle than just
consensus.
--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>
On Fri, May 7, 2021 at 3:50 PM SatoshiSingh via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of
> bitcoin mining. I understand a lot mining happens with renewable resources
> but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin
> mining in future. For now, proof of stake is still untested and not battle
> tested like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented.
> Smaller networks can test PoS which is a luxury bitcoin can't afford.
> Here's how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider
> implementing it for Bitcoin? I understand this would invoke a lot of
> controversies and a hard fork that no one likes. But its important enough
> to consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4039 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-07 23:19 ` Jeremy
@ 2021-05-08 2:40 ` honest69abe
2021-05-08 14:42 ` Karl
0 siblings, 1 reply; 67+ messages in thread
From: honest69abe @ 2021-05-08 2:40 UTC (permalink / raw)
To: jlrubin, SatoshiSingh, bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 3782 bytes --]
And to address your energy usage concern:
Energy usage, in-and-of-itself, is nothing to be ashamed of!! It's the composition of that energy usage that could be shameful. There is much debate currently about what that composition is for Bitcoin, but those estimates range from between 20-80% renewable. However, where it currently stands is largely irrelevant...
What is more important;
Bitcoin mining introduces the first free-market demand for the cheapest energy source.
I think most people are unaware of how impactful this is.
Renewable energies have crossed over into being the cheapest forms of energy and are still declining at steep rates. Estimates from the International Renewable Energy Agency breakdown the Levelized Cost of Energy as such: Geothermal ($0.05-0.1/kWh), Coal (0.06-0.07), natural gas (0.04-0.07), wind (0.02-0.05), solar (0.03-0.04), hydro (0.01-0.04).
Thus, Bitcoin is the first intrinsic incentive for humans to invest in cheapest energy, which happen to be the cleanest forms of energy.
Bitcoin as a free-market energy generation incentive that doesn't also optimize for human habitability will be civilizationally changing. E.g. solar farms in deserts, high-altitude wind.
Welcome to any thoughts and criticisms of my thinking here
Sent from ProtonMail mobile
-------- Original Message --------
On May 7, 2021, 7:19 PM, Jeremy via bitcoin-dev wrote:
> Proof-of-stake tends towards oligopolistic control, which is antithetical to bitcoin.
>
> Proof-of-stake also has some other security issues that make it a bad substitute for Proof-of-work with respect to equivocation (reorgs).
>
> Overall you'll find me personally in the camp that it's OK to explore non-PoW means of consensus long term that can keep the network in consensus in a more capital efficient manner, but that proof-of-stake is not such a substitute. Other Bitcoiners will disagree with this invariably, but if you truly have a novel solution for Byzantine Generals, it would be a major contribution to not just Bitcoin but the field of computer science as a whole and would likely get due consideration.
>
> What's difficult is that Bitcoin PoW has some very specific properties that may or may not be desirable around e.g. fairness that might be difficult to ensure in other systems, so there is probably more to the puzzle than just consensus.
> --
> [@JeremyRubin](https://twitter.com/JeremyRubin)https://twitter.com/JeremyRubin
>
> On Fri, May 7, 2021 at 3:50 PM SatoshiSingh via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hello list,
>>
>> I am a lurker here and like many of you I worry about the energy usage of bitcoin mining. I understand a lot mining happens with renewable resources but the impact is still high.
>>
>> I want to get your opinion on implementing proof of stake for bitcoin mining in future. For now, proof of stake is still untested and not battle tested like proof of work. Though someday it will be.
>>
>> In the following years we'll be seeing proof of stake being implemented. Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's how I see this the possibilities:
>>
>> 1 - Proof of stake isn't a good enough security mechanism
>> 2 - Proof of state is a good security mechanism and works as intended
>>
>> IF PoS turns out to be good after battle testing, would you consider implementing it for Bitcoin? I understand this would invoke a lot of controversies and a hard fork that no one likes. But its important enough to consider a hard fork. What are your opinions provided PoS does work?
>>
>> Love from India.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 5599 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-07 17:17 [bitcoin-dev] Opinion on proof of stake in future SatoshiSingh
2021-05-07 23:04 ` Eric Voskuil
2021-05-07 23:19 ` Jeremy
@ 2021-05-08 13:44 ` Eric Martindale
2021-05-09 11:30 ` R E Broadley
2021-05-10 14:08 ` Erik Aronesty
3 siblings, 1 reply; 67+ messages in thread
From: Eric Martindale @ 2021-05-08 13:44 UTC (permalink / raw)
To: SatoshiSingh, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2714 bytes --]
Mr. Singh,
Proof of Stake is only resilient to ⅓ of the network demonstrating a
Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold.
You can explore prior research here:
https://download.wpsoftware.net/bitcoin/pos.pdf
Independent of the security thresholds, Proof of Stake requires other
trade-offs which are incompatible with Bitcoin's objective (to be a
trustless digital cash) — specifically the famous "security vs. liveness"
guarantee. Digital cash is not useful if it must be globally halted to
ensure its security, and Proof of Work squarely addresses this concern.
Above and beyond any security consideration, Proof of Stake incentivizes
the accumulation of wealth within a small set of actors, which is
undesirable for the long-term health of any such network. If we are to
free humanity from the tyranny of the State, we must do so by protecting
the rights of every individual to hold and preserve their own value,
without trusting any third party. Entrusting the health of the network to
the "economic elite" is the paramount evil with respect to Bitcoin's
objectives, nevermind that Proof of Work relies on energy expenditure to
provide its security.
Sincerely,
Eric Martindale, relentless maker.
Founder & CEO, Fabric, Inc. <https://fabric.fm>
+1 (919) 374-2020
On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of
> bitcoin mining. I understand a lot mining happens with renewable resources
> but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin
> mining in future. For now, proof of stake is still untested and not battle
> tested like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented.
> Smaller networks can test PoS which is a luxury bitcoin can't afford.
> Here's how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider
> implementing it for Bitcoin? I understand this would invoke a lot of
> controversies and a hard fork that no one likes. But its important enough
> to consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 3929 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-07 23:04 ` Eric Voskuil
@ 2021-05-08 14:33 ` Karl
2021-05-09 10:21 ` R E Broadley
0 siblings, 1 reply; 67+ messages in thread
From: Karl @ 2021-05-08 14:33 UTC (permalink / raw)
To: Eric Voskuil, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 2638 bytes --]
Bitcoin would get better mainstream public reputation if the block reward
were reduced to reduce mining. This would quickly and easily reduce energy
expenditure.
A system would be needed to do that with consensus, to make it political.
For example, making a norm of extending the block reward termination
farther into the future, spreading the remaining coins out more thinly, but
never doing the opposite.
PoS can be made to work but it's hard to do so amid such disagreement. It
is so hard to express one's relevant information concisely and effectively.
I recommended earlier finding or hiring an experienced facilitator who
could make sure all concerns around the chain are included by engaging all
the dialog more productively. Somebody would need to be available to do
the work of finding such a person and any compensation they might need.
On Fri, May 7, 2021, 7:05 PM Eric Voskuil via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>
This wiki states things as impossible but does not at all demonstrate them
to be so.
The assumption that something is impossible always relies on many other
assumptions, and the reader may have different ones from the author.
Quote from Proof-of-Stake-Fallacy
> In Other Means Principle it is shown that censorship resistance depends
on people paying miners to overpower the censor.
> Overcoming censorship is not possible in a PoS system, as the censor has
acquired majority stake and cannot be unseated.
If the link in that text is followed you get,
Quote from Other Means Principle:
> Given that mining is necessarily anonymous, there is no way for the
economy to prevent state participation in mining.
The article then goes on to assume this, but "no way" is a circular link
back to Proof-of-Stake-Fallacy!
Never is it demonstrated that a censor will always be able to have majority
stake. In a PoS system, they would have to be able to form false chain
histories to do that. In a PoW system, they would have to outcompete the
work.
These are not inherent limitations. The whole world is open. Consider a
proof of work algorithm that requires the freeing of prisoners: a state a
very different state if it does this. Or a communication protocol that
already cannot be intercepted. These things are exotically hard, but not
impossible, and show that the logic of the articles is not valid.
Another random idea: incentivising out-of-band channels, for example.
Mining blocks based on finding and uniting illegitimate forks. Now a chain
functions by defeating its own censorship.
[-- Attachment #2: Type: text/html, Size: 3875 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-08 2:40 ` honest69abe
@ 2021-05-08 14:42 ` Karl
2021-05-09 19:07 ` Cloud Strife
0 siblings, 1 reply; 67+ messages in thread
From: Karl @ 2021-05-08 14:42 UTC (permalink / raw)
To: honest69abe, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 668 bytes --]
>
> What is more important;
> Bitcoin mining introduces the first free-market demand for the cheapest
> energy source.
This is a really great idea but I think access to technologically advanced
hardware is a stronger component than energy here.
Making open community chip fabs might change that. Then anybody could get
on the bandwagon. But right now the hardware barrier keeps the common
person out.
If you can build a chip fab, you may also be able to build a powerplant.
Not many others can do that to compete with you. The energy economy still
has more supply than competition or renewable energy would quickly
outcompete nonrenewable as the price dropped.
[-- Attachment #2: Type: text/html, Size: 1012 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-08 14:33 ` Karl
@ 2021-05-09 10:21 ` R E Broadley
2021-05-09 10:59 ` Karl
0 siblings, 1 reply; 67+ messages in thread
From: R E Broadley @ 2021-05-09 10:21 UTC (permalink / raw)
To: Karl, Bitcoin Protocol Discussion
On Sat, 8 May 2021 at 15:36, Karl via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> Bitcoin would get better mainstream public reputation if the block reward were reduced to reduce mining. This would quickly and easily reduce energy expenditure.
You're in luck then, as the block reward is being reduced by 50%, every 4 years.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-09 10:21 ` R E Broadley
@ 2021-05-09 10:59 ` Karl
0 siblings, 0 replies; 67+ messages in thread
From: Karl @ 2021-05-09 10:59 UTC (permalink / raw)
To: R E Broadley; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 617 bytes --]
On Sun, May 9, 2021, 6:21 AM R E Broadley <
rebroad+linuxfoundation.org@gmail.com> wrote:
> On Sat, 8 May 2021 at 15:36, Karl via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > Bitcoin would get better mainstream public reputation if the block
> reward were reduced to reduce mining. This would quickly and easily reduce
> energy expenditure.
>
> You're in luck then, as the block reward is being reduced by 50%, every 4
> years.
>
I'm aware of that and it is why I mentioned "block reward termination" in
the next paragraph... did you receive the rest of my message? Or why do
you say this?
>
[-- Attachment #2: Type: text/html, Size: 1298 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-08 13:44 ` Eric Martindale
@ 2021-05-09 11:30 ` R E Broadley
0 siblings, 0 replies; 67+ messages in thread
From: R E Broadley @ 2021-05-09 11:30 UTC (permalink / raw)
To: Eric Martindale, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 3161 bytes --]
According to this paper:
https://www.cs.umd.edu/projects/coinscope/coinscope.pdf
PoW is also only resilient to 1/3rd of the network.
On Sat, 8 May 2021 at 14:46, Eric Martindale via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Mr. Singh,
>
> Proof of Stake is only resilient to ⅓ of the network demonstrating a
Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold.
You can explore prior research here:
https://download.wpsoftware.net/bitcoin/pos.pdf
>
> Independent of the security thresholds, Proof of Stake requires other
trade-offs which are incompatible with Bitcoin's objective (to be a
trustless digital cash) — specifically the famous "security vs. liveness"
guarantee. Digital cash is not useful if it must be globally halted to
ensure its security, and Proof of Work squarely addresses this concern.
>
> Above and beyond any security consideration, Proof of Stake incentivizes
the accumulation of wealth within a small set of actors, which is
undesirable for the long-term health of any such network. If we are to
free humanity from the tyranny of the State, we must do so by protecting
the rights of every individual to hold and preserve their own value,
without trusting any third party. Entrusting the health of the network to
the "economic elite" is the paramount evil with respect to Bitcoin's
objectives, nevermind that Proof of Work relies on energy expenditure to
provide its security.
>
> Sincerely,
>
> Eric Martindale, relentless maker.
> Founder & CEO, Fabric, Inc.
> +1 (919) 374-2020
>
>
> On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Hello list,
>>
>> I am a lurker here and like many of you I worry about the energy usage
of bitcoin mining. I understand a lot mining happens with renewable
resources but the impact is still high.
>>
>> I want to get your opinion on implementing proof of stake for bitcoin
mining in future. For now, proof of stake is still untested and not battle
tested like proof of work. Though someday it will be.
>>
>> In the following years we'll be seeing proof of stake being implemented.
Smaller networks can test PoS which is a luxury bitcoin can't afford.
Here's how I see this the possibilities:
>>
>> 1 - Proof of stake isn't a good enough security mechanism
>> 2 - Proof of state is a good security mechanism and works as intended
>>
>> IF PoS turns out to be good after battle testing, would you consider
implementing it for Bitcoin? I understand this would invoke a lot of
controversies and a hard fork that no one likes. But its important enough
to consider a hard fork. What are your opinions provided PoS does work?
>>
>> Love from India.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 4010 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-08 14:42 ` Karl
@ 2021-05-09 19:07 ` Cloud Strife
0 siblings, 0 replies; 67+ messages in thread
From: Cloud Strife @ 2021-05-09 19:07 UTC (permalink / raw)
To: Karl, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 2892 bytes --]
Proof of stake is permissioned by coins, an internal, permissioned, and
already owned resource.
You cannot gain tokens without someone choosing to give up those coins - a
form of permission. Permission can also be thought of as an infinite
barrier to entry.
PoW forces giving up control through both permissionless to enter mining
via EXTERNAL permissionless resources and unforgeable costliness for the
miners.
Without unforgeable costliness there's no reason to ever give up control in
PoS.
In fact, staking quite literally incentivizes keeping control by rewarding
those in control with more coins and control in perpetuity at no cost - the
incentives on PoS are completely backwards from decentralizing control.
Since no mechanism forces control to be permissionlessly distributed to
others, parties in control cannot be considered independent parties nor can
control be considered decentralized.
PoS solves nothing that's relevant to permissionless decentralized networks.
> In the following years we'll be seeing proof of stake being implemented
It has been implemented since 2014 but it doesn't meet criteria for a
permissionless network. There's nothing new about implementing permissioned
networks.
You could try to replace proof of work with proof of bitcoin burn (not well
studied) on blockchains other than Bitcoin, but there's no known
replacement for proof of work for Bitcoin right now.
PoS has been considered and studied since then many times since then and
dismissed repeatedly for irrelevance to decentralized permissionless
technology, examples:
- https://nakamotoinstitute.org/research/on-stake-and-consensus/
-
https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
- https://www.truthcoin.info/blog/pow-cheapest/
-
https://hugonguyen.medium.com/work-is-timeless-stake-is-not-554c4450ce18
- https://arxiv.org/abs/1809.06528
On Sat, May 8, 2021 at 10:49 AM Karl via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> What is more important;
>> Bitcoin mining introduces the first free-market demand for the cheapest
>> energy source.
>
>
> This is a really great idea but I think access to technologically advanced
> hardware is a stronger component than energy here.
>
> Making open community chip fabs might change that. Then anybody could get
> on the bandwagon. But right now the hardware barrier keeps the common
> person out.
>
> If you can build a chip fab, you may also be able to build a powerplant.
> Not many others can do that to compete with you. The energy economy still
> has more supply than competition or renewable energy would quickly
> outcompete nonrenewable as the price dropped.
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4591 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-07 17:17 [bitcoin-dev] Opinion on proof of stake in future SatoshiSingh
` (2 preceding siblings ...)
2021-05-08 13:44 ` Eric Martindale
@ 2021-05-10 14:08 ` Erik Aronesty
2021-05-10 15:01 ` Keagan McClelland
3 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-10 14:08 UTC (permalink / raw)
To: SatoshiSingh, Bitcoin Protocol Discussion
personally, not speaking for anyone else, i think that proof-of-burn
has a much higher likelihood of being a) good enough security and b)
solving the nothing-at-stake problem
the only issue i see with a quality PoB implementation is a robust
solution to the block-timing problem.
https://grisha.org/blog/2018/01/23/explaining-proof-of-work/
i do think there *could* be other low-energy solutions to verifiable
timing, just haven't seen one
On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of bitcoin mining. I understand a lot mining happens with renewable resources but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin mining in future. For now, proof of stake is still untested and not battle tested like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented. Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider implementing it for Bitcoin? I understand this would invoke a lot of controversies and a hard fork that no one likes. But its important enough to consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-10 14:08 ` Erik Aronesty
@ 2021-05-10 15:01 ` Keagan McClelland
2021-05-10 21:22 ` LORD HIS EXCELLENCY JAMES HRMH
2021-05-10 21:51 ` Jeremy
0 siblings, 2 replies; 67+ messages in thread
From: Keagan McClelland @ 2021-05-10 15:01 UTC (permalink / raw)
To: Bitcoin Protocol Discussion, Erik Aronesty; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 3246 bytes --]
To reiterate some of the points here. My problem with proof of stake is
twofold.
1. It requires permission of coin holders to enter into the system. This is
not true of proof of work. You may even attempt (though not successfully) a
proof of work with pencil and paper and submit the block from a regular
laptop if you so choose. Whether this level of permissionlessness is
necessary is up to individual risk tolerance etc. but it is definitely the
default preference of Bitcoin.
2. Proof of stake must have a trusted means of timestamping to regulate
overproduction of blocks. This introduction of trust is generally
considered to be a nonstarter in Bitcoin. Proof of Work regulates this by
making blocks fundamentally difficult to produce in the first place.
Like Jeremy, I’m always interested to learn about new attempts in consensus
algorithms, but the bar to clear is very high and proof of stake to date
has not proposed much less demonstrated a set of properties that is
consistent with Bitcoins objectives.
Keagan
On Mon, May 10, 2021 at 8:43 AM Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> personally, not speaking for anyone else, i think that proof-of-burn
> has a much higher likelihood of being a) good enough security and b)
> solving the nothing-at-stake problem
>
> the only issue i see with a quality PoB implementation is a robust
> solution to the block-timing problem.
>
> https://grisha.org/blog/2018/01/23/explaining-proof-of-work/
>
> i do think there *could* be other low-energy solutions to verifiable
> timing, just haven't seen one
>
>
> On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > Hello list,
> >
> > I am a lurker here and like many of you I worry about the energy usage
> of bitcoin mining. I understand a lot mining happens with renewable
> resources but the impact is still high.
> >
> > I want to get your opinion on implementing proof of stake for bitcoin
> mining in future. For now, proof of stake is still untested and not battle
> tested like proof of work. Though someday it will be.
> >
> > In the following years we'll be seeing proof of stake being implemented.
> Smaller networks can test PoS which is a luxury bitcoin can't afford.
> Here's how I see this the possibilities:
> >
> > 1 - Proof of stake isn't a good enough security mechanism
> > 2 - Proof of state is a good security mechanism and works as intended
> >
> > IF PoS turns out to be good after battle testing, would you consider
> implementing it for Bitcoin? I understand this would invoke a lot of
> controversies and a hard fork that no one likes. But its important enough
> to consider a hard fork. What are your opinions provided PoS does work?
> >
> > Love from India.
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4445 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-10 15:01 ` Keagan McClelland
@ 2021-05-10 21:22 ` LORD HIS EXCELLENCY JAMES HRMH
2021-05-10 21:51 ` Jeremy
1 sibling, 0 replies; 67+ messages in thread
From: LORD HIS EXCELLENCY JAMES HRMH @ 2021-05-10 21:22 UTC (permalink / raw)
To: Bitcoin Protocol Discussion, Erik Aronesty, Keagan McClelland
Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 5195 bytes --]
Good Afternoon,
Proof-of-stake sounds like an altcoin fork. There is no consideration that proof-of-work is insufficient or that it can be improved upon, only that it should be regulated. Imagine, you are a gold miner with larger hands so you start a mining race and mine plenty more than everyone. Pretty soon everybody is employing all their available resources just to keep up in the mining race since there are only so many carts instead of just to leisurely utilise surplus resources for an opportune find. Each block is a new gold mine. It is enough for everybody to use leisurely resources.
I have initiated conversation previously regarding a method to regulate mining, and believe whole heartedly it should happen. That is necessary for the future stability of Bitcoin as it is clear the rate of work cannot be allowed to increase at such a rate. If you search the bitcoin-dev archives you will find discussion there under my email as we search for a solution.
KING JAMES HRMH
Great British Empire
Regards,
The Australian
LORD HIS EXCELLENCY JAMES HRMH (& HMRH)
of Hougun Manor & Glencoe & British Empire
MR. Damian A. James Williamson
Wills
et al.
Willtech
www.willtech.com.au
www.go-overt.com
and other projects
earn.com/willtech
linkedin.com/in/damianwilliamson
m. 0487135719
f. +61261470192
This email does not constitute a general advice. Please disregard this email if misdelivered.
________________________________
From: bitcoin-dev <bitcoin-dev-bounces@lists.linuxfoundation.org> on behalf of Keagan McClelland via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Sent: Tuesday, 11 May 2021 1:01 AM
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>; Erik Aronesty <erik@q32.com>
Cc: SatoshiSingh <SatoshiSingh@protonmail.com>
Subject: Re: [bitcoin-dev] Opinion on proof of stake in future
To reiterate some of the points here. My problem with proof of stake is twofold.
1. It requires permission of coin holders to enter into the system. This is not true of proof of work. You may even attempt (though not successfully) a proof of work with pencil and paper and submit the block from a regular laptop if you so choose. Whether this level of permissionlessness is necessary is up to individual risk tolerance etc. but it is definitely the default preference of Bitcoin.
2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks. This introduction of trust is generally considered to be a nonstarter in Bitcoin. Proof of Work regulates this by making blocks fundamentally difficult to produce in the first place.
Like Jeremy, I’m always interested to learn about new attempts in consensus algorithms, but the bar to clear is very high and proof of stake to date has not proposed much less demonstrated a set of properties that is consistent with Bitcoins objectives.
Keagan
On Mon, May 10, 2021 at 8:43 AM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org<mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
personally, not speaking for anyone else, i think that proof-of-burn
has a much higher likelihood of being a) good enough security and b)
solving the nothing-at-stake problem
the only issue i see with a quality PoB implementation is a robust
solution to the block-timing problem.
https://grisha.org/blog/2018/01/23/explaining-proof-of-work/
i do think there *could* be other low-energy solutions to verifiable
timing, just haven't seen one
On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org<mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
>
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of bitcoin mining. I understand a lot mining happens with renewable resources but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin mining in future. For now, proof of stake is still untested and not battle tested like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented. Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider implementing it for Bitcoin? I understand this would invoke a lot of controversies and a hard fork that no one likes. But its important enough to consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org<mailto:bitcoin-dev@lists.linuxfoundation.org>
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org<mailto:bitcoin-dev@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 7982 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-10 15:01 ` Keagan McClelland
2021-05-10 21:22 ` LORD HIS EXCELLENCY JAMES HRMH
@ 2021-05-10 21:51 ` Jeremy
2021-05-17 16:58 ` Erik Aronesty
1 sibling, 1 reply; 67+ messages in thread
From: Jeremy @ 2021-05-10 21:51 UTC (permalink / raw)
To: Keagan McClelland, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 239 bytes --]
re: 2, there's been some promising developments with Verifiable Delay
Functions that make me think that the block regulation problems are
solvable without requiring brute-force search proof of work. Are those
inapplicable for some reason?
[-- Attachment #2: Type: text/html, Size: 510 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-10 21:51 ` Jeremy
@ 2021-05-17 16:58 ` Erik Aronesty
2021-05-18 7:06 ` ZmnSCPxj
0 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-17 16:58 UTC (permalink / raw)
To: Jeremy; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
Verifiable Delay Functions involve active participation of a single
verifier. Without this a VDF decays into a proof-of-work (multiple
verifiers === parallelism).
The verifier, in this case is "the bitcoin network" taken as a whole.
I think it is reasonable to consider that some difficult-to-game
property of the last N blocks (like the hash of the last 100
block-id's or whatever), could be the verification input.
The VDF gets calculated by *every* eligible proof-of-burn miner, and
then this is used to prevent a timing issue.
Seems reasonable to me, but I haven't looked too far into the
requirements of VDF's
nice summary for anyone who is interested:
https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3bec2bf4
While VDF's almost always lead to a "cpu-speed monopoly", this would
only be helpful for block latency in a proof-of-burn chain. Block
height would be calculated by eligible-miner-burned-coins, so the
monopoly could be easily avoided.
There has been some decent earlier work on blind/uncensorable burns:
https://eprint.iacr.org/2019/1096.pdf
A miner could then reveal A) the VDF and B) proof-of-burn as a part of
a block. Nodes would simply select the block with A) a valid VDF and
B) the highest "qualified" POB.
With most burns running at a loss, and no way to predict the next
"winning burn", and the VDF providing timing, I'm not sure how this is
worse than Bitcoin's existing system.
On Mon, May 10, 2021 at 5:51 PM Jeremy <jlrubin@mit.edu> wrote:
>
> re: 2, there's been some promising developments with Verifiable Delay Functions that make me think that the block regulation problems are solvable without requiring brute-force search proof of work. Are those inapplicable for some reason?
>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-17 16:58 ` Erik Aronesty
@ 2021-05-18 7:06 ` ZmnSCPxj
2021-05-18 10:16 ` Zac Greenwood
0 siblings, 1 reply; 67+ messages in thread
From: ZmnSCPxj @ 2021-05-18 7:06 UTC (permalink / raw)
To: Erik Aronesty, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
Good morning Erik,
> Verifiable Delay Functions involve active participation of a single
> verifier. Without this a VDF decays into a proof-of-work (multiple
> verifiers === parallelism).
>
> The verifier, in this case is "the bitcoin network" taken as a whole.
> I think it is reasonable to consider that some difficult-to-game
> property of the last N blocks (like the hash of the last 100
> block-id's or whatever), could be the verification input.
>
> The VDF gets calculated by every eligible proof-of-burn miner, and
> then this is used to prevent a timing issue.
>
> Seems reasonable to me, but I haven't looked too far into the
> requirements of VDF's
>
> nice summary for anyone who is interested:
> https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3bec2bf4
>
> While VDF's almost always lead to a "cpu-speed monopoly", this would
> only be helpful for block latency in a proof-of-burn chain. Block
> height would be calculated by eligible-miner-burned-coins, so the
> monopoly could be easily avoided.
Interesting link.
However, I would like to point out that the *real* reason that PoW consumes lots of power is ***NOT***:
* Proof-of-work is parallelizable, so it allows miners consume more energy (by buying more grinders) in order to get more blocks than their competitors.
The *real* reason is:
* Proof-of-work allows miners to consume more energy in order to get more blocks than their competitors.
VDFs attempt to sidestep that by removing parallelism.
However, there are ways to increase *sequential* speed, such as:
* Overclocking.
* This shortens lifetime, so you can spend more energy (on building new miners) in order to get more blocks than your competitors.
* Lower temperatures.
* This requires refrigeration/cooling, so you can spend more energy (on the refrigeration process) in order to get more blocks than your competitors.
I am certain people with gaming rigs can point out more ways to improve sequential speed, as necessary to get more frames per second.
Given the above, I think VDFs will still fail at their intended task.
Speed, yo.
Thus, VDFs do not serve as a sufficient deterrent away from ever-increasing energy consumption --- it just moves the energy consumption increase away from the obvious (parallelism) to the obscure-if-you-have-no-gamer-buds.
You humans just need to get up to Kardashev 1.0, stat.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-18 7:06 ` ZmnSCPxj
@ 2021-05-18 10:16 ` Zac Greenwood
2021-05-18 10:42 ` ZmnSCPxj
0 siblings, 1 reply; 67+ messages in thread
From: Zac Greenwood @ 2021-05-18 10:16 UTC (permalink / raw)
To: Bitcoin Protocol Discussion, ZmnSCPxj; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 3278 bytes --]
VDFs might enable more constant block times, for instance by having a
two-step PoW:
1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to
difficulty adjustments similar to the as-is). As per the property of VDFs,
miners are able show proof of work.
2. Use current PoW mechanism with lower difficulty so finding a block takes
1 minute on average, again subject to as-is difficulty adjustments.
As a result, variation in block times will be greatly reduced.
Zac
On Tue, 18 May 2021 at 09:07, ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Good morning Erik,
>
> > Verifiable Delay Functions involve active participation of a single
> > verifier. Without this a VDF decays into a proof-of-work (multiple
> > verifiers === parallelism).
> >
> > The verifier, in this case is "the bitcoin network" taken as a whole.
> > I think it is reasonable to consider that some difficult-to-game
> > property of the last N blocks (like the hash of the last 100
> > block-id's or whatever), could be the verification input.
> >
> > The VDF gets calculated by every eligible proof-of-burn miner, and
> > then this is used to prevent a timing issue.
> >
> > Seems reasonable to me, but I haven't looked too far into the
> > requirements of VDF's
> >
> > nice summary for anyone who is interested:
> > https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3bec2bf4
> >
> > While VDF's almost always lead to a "cpu-speed monopoly", this would
> > only be helpful for block latency in a proof-of-burn chain. Block
> > height would be calculated by eligible-miner-burned-coins, so the
> > monopoly could be easily avoided.
>
> Interesting link.
>
> However, I would like to point out that the *real* reason that PoW
> consumes lots of power is ***NOT***:
>
> * Proof-of-work is parallelizable, so it allows miners consume more energy
> (by buying more grinders) in order to get more blocks than their
> competitors.
>
> The *real* reason is:
>
> * Proof-of-work allows miners to consume more energy in order to get more
> blocks than their competitors.
>
> VDFs attempt to sidestep that by removing parallelism.
> However, there are ways to increase *sequential* speed, such as:
>
> * Overclocking.
> * This shortens lifetime, so you can spend more energy (on building new
> miners) in order to get more blocks than your competitors.
> * Lower temperatures.
> * This requires refrigeration/cooling, so you can spend more energy (on
> the refrigeration process) in order to get more blocks than your
> competitors.
>
> I am certain people with gaming rigs can point out more ways to improve
> sequential speed, as necessary to get more frames per second.
>
> Given the above, I think VDFs will still fail at their intended task.
> Speed, yo.
>
> Thus, VDFs do not serve as a sufficient deterrent away from
> ever-increasing energy consumption --- it just moves the energy consumption
> increase away from the obvious (parallelism) to the
> obscure-if-you-have-no-gamer-buds.
>
> You humans just need to get up to Kardashev 1.0, stat.
>
> Regards,
> ZmnSCPxj
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4403 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-18 10:16 ` Zac Greenwood
@ 2021-05-18 10:42 ` ZmnSCPxj
2021-05-18 14:02 ` Zac Greenwood
0 siblings, 1 reply; 67+ messages in thread
From: ZmnSCPxj @ 2021-05-18 10:42 UTC (permalink / raw)
To: Zac Greenwood; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
Good morning Zac,
> VDFs might enable more constant block times, for instance by having a two-step PoW:
>
> 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>
> 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>
> As a result, variation in block times will be greatly reduced.
As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-18 10:42 ` ZmnSCPxj
@ 2021-05-18 14:02 ` Zac Greenwood
2021-05-18 18:52 ` Erik Aronesty
0 siblings, 1 reply; 67+ messages in thread
From: Zac Greenwood @ 2021-05-18 14:02 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 1412 bytes --]
Hi ZmnSCPxj,
Please note that I am not suggesting VDFs as a means to save energy, but
solely as a means to make the time between blocks more constant.
Zac
On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
> Good morning Zac,
>
> > VDFs might enable more constant block times, for instance by having a
> two-step PoW:
> >
> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to
> difficulty adjustments similar to the as-is). As per the property of VDFs,
> miners are able show proof of work.
> >
> > 2. Use current PoW mechanism with lower difficulty so finding a block
> takes 1 minute on average, again subject to as-is difficulty adjustments.
> >
> > As a result, variation in block times will be greatly reduced.
>
> As I understand it, another weakness of VDFs is that they are not
> inherently progress-free (their sequential nature prevents that; they are
> inherently progress-requiring).
>
> Thus, a miner which focuses on improving the amount of energy that it can
> pump into the VDF circuitry (by overclocking and freezing the circuitry),
> could potentially get into a winner-takes-all situation, possibly leading
> to even *worse* competition and even *more* energy consumption.
> After all, if you can start mining 0.1s faster than the competition, that
> is a 0.1s advantage where *only you* can mine *in the entire world*.
>
> Regards,
> ZmnSCPxj
>
[-- Attachment #2: Type: text/html, Size: 2149 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-18 14:02 ` Zac Greenwood
@ 2021-05-18 18:52 ` Erik Aronesty
2021-05-19 14:07 ` Michael Dubrovsky
0 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-18 18:52 UTC (permalink / raw)
To: Zac Greenwood; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
1. i never suggested vdf's to replace pow.
2. my suggestion was specifically *in the context of* a working
proof-of-burn protocol
- vdfs used only for timing (not block height)
- blind-burned coins of a specific age used to replace proof of work
- the required "work" per block would simply be a competition to
acquire rewards, and so miners would have to burn coins, well in
advance, and hope that their burned coins got rewarded in some far
future
- the point of burned coins is to mimic, in every meaningful way, the
value gained from proof of work... without some of the security
drawbacks
- the miner risks losing all of his burned coins (like all miners risk
losing their work in each block)
- new burns can't be used
- old burns age out (like ASICs do)
- other requirements on burns might be needed to properly mirror the
properties of PoW and the incentives Bitcoin uses to mine honestly.
3. i do believe it is *possible* that a "burned coin + vdf system"
might be more secure in the long run, and that if the entire space
agreed that such an endeavor was worthwhile, a test net could be spun
up, and a hard-fork could be initiated.
4. i would never suggest such a thing unless i believed it was
possible that consensus was possible. so no, this is not an "alt
coin"
On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>
> Hi ZmnSCPxj,
>
> Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>
> Zac
>
>
> On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>
>> Good morning Zac,
>>
>> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>> >
>> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>> >
>> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>> >
>> > As a result, variation in block times will be greatly reduced.
>>
>> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>
>> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>
>> Regards,
>> ZmnSCPxj
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-18 18:52 ` Erik Aronesty
@ 2021-05-19 14:07 ` Michael Dubrovsky
2021-05-19 15:30 ` Michael Dubrovsky
0 siblings, 1 reply; 67+ messages in thread
From: Michael Dubrovsky @ 2021-05-19 14:07 UTC (permalink / raw)
To: Erik Aronesty, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 3781 bytes --]
Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself.
PoS, VDFs, and so on are interesting but I guess there are other threads
going on these topics already where they would be relevant.
Also, it's important to distinguish between oPoW and these other
"alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
the core game theory or security assumptions of Hashcash and actually
contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
Cheers,
Mike
On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> 1. i never suggested vdf's to replace pow.
>
> 2. my suggestion was specifically *in the context of* a working
> proof-of-burn protocol
>
> - vdfs used only for timing (not block height)
> - blind-burned coins of a specific age used to replace proof of work
> - the required "work" per block would simply be a competition to
> acquire rewards, and so miners would have to burn coins, well in
> advance, and hope that their burned coins got rewarded in some far
> future
> - the point of burned coins is to mimic, in every meaningful way, the
> value gained from proof of work... without some of the security
> drawbacks
> - the miner risks losing all of his burned coins (like all miners risk
> losing their work in each block)
> - new burns can't be used
> - old burns age out (like ASICs do)
> - other requirements on burns might be needed to properly mirror the
> properties of PoW and the incentives Bitcoin uses to mine honestly.
>
> 3. i do believe it is *possible* that a "burned coin + vdf system"
> might be more secure in the long run, and that if the entire space
> agreed that such an endeavor was worthwhile, a test net could be spun
> up, and a hard-fork could be initiated.
>
> 4. i would never suggest such a thing unless i believed it was
> possible that consensus was possible. so no, this is not an "alt
> coin"
>
> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
> >
> > Hi ZmnSCPxj,
> >
> > Please note that I am not suggesting VDFs as a means to save energy, but
> solely as a means to make the time between blocks more constant.
> >
> > Zac
> >
> >
> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
> >>
> >> Good morning Zac,
> >>
> >> > VDFs might enable more constant block times, for instance by having a
> two-step PoW:
> >> >
> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject
> to difficulty adjustments similar to the as-is). As per the property of
> VDFs, miners are able show proof of work.
> >> >
> >> > 2. Use current PoW mechanism with lower difficulty so finding a block
> takes 1 minute on average, again subject to as-is difficulty adjustments.
> >> >
> >> > As a result, variation in block times will be greatly reduced.
> >>
> >> As I understand it, another weakness of VDFs is that they are not
> inherently progress-free (their sequential nature prevents that; they are
> inherently progress-requiring).
> >>
> >> Thus, a miner which focuses on improving the amount of energy that it
> can pump into the VDF circuitry (by overclocking and freezing the
> circuitry), could potentially get into a winner-takes-all situation,
> possibly leading to even *worse* competition and even *more* energy
> consumption.
> >> After all, if you can start mining 0.1s faster than the competition,
> that is a 0.1s advantage where *only you* can mine *in the entire world*.
> >>
> >> Regards,
> >> ZmnSCPxj
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--
Michael Dubrovsky
Founder; PoWx
www.PoWx.org <http://www.powx.org/>
[-- Attachment #2: Type: text/html, Size: 5124 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-19 14:07 ` Michael Dubrovsky
@ 2021-05-19 15:30 ` Michael Dubrovsky
2021-05-21 0:04 ` Billy Tetrud
0 siblings, 1 reply; 67+ messages in thread
From: Michael Dubrovsky @ 2021-05-19 15:30 UTC (permalink / raw)
To: Erik Aronesty, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 4115 bytes --]
Ah sorry, I didn't realize this was, in fact, a different thread! :)
On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself.
> PoS, VDFs, and so on are interesting but I guess there are other threads
> going on these topics already where they would be relevant.
>
> Also, it's important to distinguish between oPoW and these other
> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
> the core game theory or security assumptions of Hashcash and actually
> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>
> Cheers,
> Mike
>
> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> 1. i never suggested vdf's to replace pow.
>>
>> 2. my suggestion was specifically *in the context of* a working
>> proof-of-burn protocol
>>
>> - vdfs used only for timing (not block height)
>> - blind-burned coins of a specific age used to replace proof of work
>> - the required "work" per block would simply be a competition to
>> acquire rewards, and so miners would have to burn coins, well in
>> advance, and hope that their burned coins got rewarded in some far
>> future
>> - the point of burned coins is to mimic, in every meaningful way, the
>> value gained from proof of work... without some of the security
>> drawbacks
>> - the miner risks losing all of his burned coins (like all miners risk
>> losing their work in each block)
>> - new burns can't be used
>> - old burns age out (like ASICs do)
>> - other requirements on burns might be needed to properly mirror the
>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>
>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>> might be more secure in the long run, and that if the entire space
>> agreed that such an endeavor was worthwhile, a test net could be spun
>> up, and a hard-fork could be initiated.
>>
>> 4. i would never suggest such a thing unless i believed it was
>> possible that consensus was possible. so no, this is not an "alt
>> coin"
>>
>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>> >
>> > Hi ZmnSCPxj,
>> >
>> > Please note that I am not suggesting VDFs as a means to save energy,
>> but solely as a means to make the time between blocks more constant.
>> >
>> > Zac
>> >
>> >
>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>> >>
>> >> Good morning Zac,
>> >>
>> >> > VDFs might enable more constant block times, for instance by having
>> a two-step PoW:
>> >> >
>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject
>> to difficulty adjustments similar to the as-is). As per the property of
>> VDFs, miners are able show proof of work.
>> >> >
>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>> block takes 1 minute on average, again subject to as-is difficulty
>> adjustments.
>> >> >
>> >> > As a result, variation in block times will be greatly reduced.
>> >>
>> >> As I understand it, another weakness of VDFs is that they are not
>> inherently progress-free (their sequential nature prevents that; they are
>> inherently progress-requiring).
>> >>
>> >> Thus, a miner which focuses on improving the amount of energy that it
>> can pump into the VDF circuitry (by overclocking and freezing the
>> circuitry), could potentially get into a winner-takes-all situation,
>> possibly leading to even *worse* competition and even *more* energy
>> consumption.
>> >> After all, if you can start mining 0.1s faster than the competition,
>> that is a 0.1s advantage where *only you* can mine *in the entire world*.
>> >>
>> >> Regards,
>> >> ZmnSCPxj
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
> --
> Michael Dubrovsky
> Founder; PoWx
> www.PoWx.org <http://www.powx.org/>
>
--
Michael Dubrovsky
Founder; PoWx
www.PoWx.org <http://www.powx.org/>
[-- Attachment #2: Type: text/html, Size: 5905 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-19 15:30 ` Michael Dubrovsky
@ 2021-05-21 0:04 ` Billy Tetrud
2021-05-21 9:42 ` vizeet srivastava
` (2 more replies)
0 siblings, 3 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-05-21 0:04 UTC (permalink / raw)
To: Michael Dubrovsky, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 10126 bytes --]
I think there is a lot of misinformation and bias against Proof of Stake.
Yes there have been lots of shady coins that use insecure PoS mechanisms.
Yes there have been massive issues with distribution of PoS coins (of
course there have also been massive issues with PoW coins as well).
However, I want to remind everyone that there is a difference between
"proved to be impossible" and "have not achieved recognized success yet".
Most of the arguments levied against PoS are out of date or rely on
unproven assumptions or extrapolation from the analysis of a particular PoS
system. I certainly don't think we should experiment with bitcoin by
switching to PoS, but from my research, it seems very likely that there is
a proof of stake consensus protocol we could build that has substantially
higher security (cost / capital required to execute an attack) while at the
same time costing far less resources (which do translate to fees on the
network) *without* compromising any of the critical security properties
bitcoin relies on. I think the critical piece of this is the disagreements
around hardcoded checkpoints, which is a critical piece solving attacks
that could be levied on a PoS chain, and how that does (or doesn't) affect
the security model.
@Eric Your proof of stake fallacy seems to be saying that PoS is worse when
a 51% attack happens. While I agree, I think that line of thinking omits
important facts:
* The capital required to 51% attack a PoS chain can be made substantially
greater than on a PoS chain.
* The capital the attacker stands to lose can be substantially greater as
well if the attack is successful.
* The effectiveness of paying miners to raise the honest fraction of miners
above 50% may be quite bad.
* Allowing a 51% attack is already unacceptable. It should be considered
whether what happens in the case of a 51% may not be significantly
different. The currency would likely be critically damaged in a 51% attack
regardless of consensus mechanism.
> Proof-of-stake tends towards oligopolistic control
People repeat this often, but the facts support this. There is no
centralization pressure in any proof of stake mechanism that I'm aware of.
IE if you have 10 times as much coin that you use to mint blocks, you
should expect to earn 10x as much minting revenue - not more than 10x. By
contrast, proof of work does in fact have clear centralization pressure -
this is not disputed. Our goal in relation to that is to ensure that the
centralization pressure remains insignifiant. Proof of work also clearly
has a lot more barriers to entry than any proof of stake system does. Both
of these mean the tendency towards oligopolistic control is worse for PoW.
> Energy usage, in-and-of-itself, is nothing to be ashamed of!!
I certainly agree. Bitcoin's energy usage at the moment is I think quite
warranted. However, the question is: can we do substantially better. I
think if we can, we probably should... eventually.
> Proof of Stake is only resilient to ⅓ of the network demonstrating a
Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
I see no mention of this in the pos.pdf
<https://download.wpsoftware.net/bitcoin/pos.pdf> you linked to. I'm not
aware of any proof that *all *PoS systems have a failure threshold of 1/3.
I know that staking systems like Casper do in fact have that 1/3
requirement. However there are PoS designs that should exceed that up to
nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
to the 1/2 threshold in the way you would think. IE, if 100% of miners are
currently honest and have a collective 100 exahashes/s hashpower, an
attacker does not need to obtain 100 exahashes/s, but actually only needs
to accumulate 50 exahashes/s. This is because as the attacker accumulates
hashpower, it drives honest miners out of the market as the difficulty
increases to beyond what is economically sustainable. Also, its been shown
that the best proof of work can do is require an attacker to obtain 33% of
the hashpower because of the selfish mining attack
<https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#the-selfish-economic-attack>
discussed
in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of
these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> Proof of Stake requires other trade-offs which are incompatible with
Bitcoin's objective (to be a trustless digital cash) — specifically the
famous "security vs. liveness" guarantee
Do you have a good source that talks about why you think proof of stake
cannot be used for a trustless digital cash?
> You cannot gain tokens without someone choosing to give up those coins -
a form of permission.
This is not a practical constraint. Just like in mining, some nodes may
reject you, but there will likely be more that will accept you, some
sellers may reject you, but most would accept your money as payment for
bitcoins. I don't think requiring the "permission" of one of millions of
people in the market can be reasonably considered a "permissioned
currency".
> 2. Proof of stake must have a trusted means of timestamping to regulate
overproduction of blocks
Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to
double their clock speeds. Both systems rely on an honest majority sticking
to standard time.
On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>
> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>
>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself.
>> PoS, VDFs, and so on are interesting but I guess there are other threads
>> going on these topics already where they would be relevant.
>>
>> Also, it's important to distinguish between oPoW and these other
>> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
>> the core game theory or security assumptions of Hashcash and actually
>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>
>> Cheers,
>> Mike
>>
>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> 1. i never suggested vdf's to replace pow.
>>>
>>> 2. my suggestion was specifically *in the context of* a working
>>> proof-of-burn protocol
>>>
>>> - vdfs used only for timing (not block height)
>>> - blind-burned coins of a specific age used to replace proof of work
>>> - the required "work" per block would simply be a competition to
>>> acquire rewards, and so miners would have to burn coins, well in
>>> advance, and hope that their burned coins got rewarded in some far
>>> future
>>> - the point of burned coins is to mimic, in every meaningful way, the
>>> value gained from proof of work... without some of the security
>>> drawbacks
>>> - the miner risks losing all of his burned coins (like all miners risk
>>> losing their work in each block)
>>> - new burns can't be used
>>> - old burns age out (like ASICs do)
>>> - other requirements on burns might be needed to properly mirror the
>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>
>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>> might be more secure in the long run, and that if the entire space
>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>> up, and a hard-fork could be initiated.
>>>
>>> 4. i would never suggest such a thing unless i believed it was
>>> possible that consensus was possible. so no, this is not an "alt
>>> coin"
>>>
>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
>>> wrote:
>>> >
>>> > Hi ZmnSCPxj,
>>> >
>>> > Please note that I am not suggesting VDFs as a means to save energy,
>>> but solely as a means to make the time between blocks more constant.
>>> >
>>> > Zac
>>> >
>>> >
>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
>>> wrote:
>>> >>
>>> >> Good morning Zac,
>>> >>
>>> >> > VDFs might enable more constant block times, for instance by having
>>> a two-step PoW:
>>> >> >
>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject
>>> to difficulty adjustments similar to the as-is). As per the property of
>>> VDFs, miners are able show proof of work.
>>> >> >
>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>>> block takes 1 minute on average, again subject to as-is difficulty
>>> adjustments.
>>> >> >
>>> >> > As a result, variation in block times will be greatly reduced.
>>> >>
>>> >> As I understand it, another weakness of VDFs is that they are not
>>> inherently progress-free (their sequential nature prevents that; they are
>>> inherently progress-requiring).
>>> >>
>>> >> Thus, a miner which focuses on improving the amount of energy that it
>>> can pump into the VDF circuitry (by overclocking and freezing the
>>> circuitry), could potentially get into a winner-takes-all situation,
>>> possibly leading to even *worse* competition and even *more* energy
>>> consumption.
>>> >> After all, if you can start mining 0.1s faster than the competition,
>>> that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>> >>
>>> >> Regards,
>>> >> ZmnSCPxj
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
>>
>> --
>> Michael Dubrovsky
>> Founder; PoWx
>> www.PoWx.org <http://www.powx.org/>
>>
>
>
> --
> Michael Dubrovsky
> Founder; PoWx
> www.PoWx.org <http://www.powx.org/>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 13058 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-21 0:04 ` Billy Tetrud
@ 2021-05-21 9:42 ` vizeet srivastava
2021-05-21 20:57 ` Erik Aronesty
2021-05-23 3:41 ` Lloyd Fournier
2 siblings, 0 replies; 67+ messages in thread
From: vizeet srivastava @ 2021-05-21 9:42 UTC (permalink / raw)
To: Billy Tetrud, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 11014 bytes --]
It is difficult to understand how energy usage is a bad thing.
At one end we talk about energy usage as a bad thing and we also talk about
global warming.
If Earth is receiving extra energy which is causing global warming
shouldn't we use extra energy to do something useful.
On Fri, May 21, 2021 at 2:52 PM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> I think there is a lot of misinformation and bias against Proof of Stake.
> Yes there have been lots of shady coins that use insecure PoS mechanisms.
> Yes there have been massive issues with distribution of PoS coins (of
> course there have also been massive issues with PoW coins as well).
> However, I want to remind everyone that there is a difference between
> "proved to be impossible" and "have not achieved recognized success yet".
> Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
>
> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> * The capital required to 51% attack a PoS chain can be made substantially
> greater than on a PoS chain.
> * The capital the attacker stands to lose can be substantially greater as
> well if the attack is successful.
> * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> * Allowing a 51% attack is already unacceptable. It should be considered
> whether what happens in the case of a 51% may not be significantly
> different. The currency would likely be critically damaged in a 51% attack
> regardless of consensus mechanism.
>
> > Proof-of-stake tends towards oligopolistic control
>
> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
>
> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>
> I certainly agree. Bitcoin's energy usage at the moment is I think quite
> warranted. However, the question is: can we do substantially better. I
> think if we can, we probably should... eventually.
>
> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>
> I see no mention of this in the pos.pdf
> <https://download.wpsoftware.net/bitcoin/pos.pdf> you linked to. I'm not
> aware of any proof that *all *PoS systems have a failure threshold of
> 1/3. I know that staking systems like Casper do in fact have that 1/3
> requirement. However there are PoS designs that should exceed that up to
> nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
> to the 1/2 threshold in the way you would think. IE, if 100% of miners are
> currently honest and have a collective 100 exahashes/s hashpower, an
> attacker does not need to obtain 100 exahashes/s, but actually only needs
> to accumulate 50 exahashes/s. This is because as the attacker accumulates
> hashpower, it drives honest miners out of the market as the difficulty
> increases to beyond what is economically sustainable. Also, its been shown
> that the best proof of work can do is require an attacker to obtain 33% of
> the hashpower because of the selfish mining attack
> <https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#the-selfish-economic-attack> discussed
> in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both
> of these things reduce PoW's security by a factor of about 83% (1 -
> 50%*33%).
>
> > Proof of Stake requires other trade-offs which are incompatible with
> Bitcoin's objective (to be a trustless digital cash) — specifically the
> famous "security vs. liveness" guarantee
>
> Do you have a good source that talks about why you think proof of stake
> cannot be used for a trustless digital cash?
>
> > You cannot gain tokens without someone choosing to give up those coins -
> a form of permission.
>
> This is not a practical constraint. Just like in mining, some nodes may
> reject you, but there will likely be more that will accept you, some
> sellers may reject you, but most would accept your money as payment for
> bitcoins. I don't think requiring the "permission" of one of millions of
> people in the market can be reasonably considered a "permissioned
> currency".
>
> > 2. Proof of stake must have a trusted means of timestamping to regulate
> overproduction of blocks
>
> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed
> to double their clock speeds. Both systems rely on an honest majority
> sticking to standard time.
>
>
> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>
>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>
>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
>>> itself. PoS, VDFs, and so on are interesting but I guess there are other
>>> threads going on these topics already where they would be relevant.
>>>
>>> Also, it's important to distinguish between oPoW and these other
>>> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
>>> the core game theory or security assumptions of Hashcash and actually
>>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>
>>> Cheers,
>>> Mike
>>>
>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>> 1. i never suggested vdf's to replace pow.
>>>>
>>>> 2. my suggestion was specifically *in the context of* a working
>>>> proof-of-burn protocol
>>>>
>>>> - vdfs used only for timing (not block height)
>>>> - blind-burned coins of a specific age used to replace proof of work
>>>> - the required "work" per block would simply be a competition to
>>>> acquire rewards, and so miners would have to burn coins, well in
>>>> advance, and hope that their burned coins got rewarded in some far
>>>> future
>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>> value gained from proof of work... without some of the security
>>>> drawbacks
>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>> losing their work in each block)
>>>> - new burns can't be used
>>>> - old burns age out (like ASICs do)
>>>> - other requirements on burns might be needed to properly mirror the
>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>
>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>> might be more secure in the long run, and that if the entire space
>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>> up, and a hard-fork could be initiated.
>>>>
>>>> 4. i would never suggest such a thing unless i believed it was
>>>> possible that consensus was possible. so no, this is not an "alt
>>>> coin"
>>>>
>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
>>>> wrote:
>>>> >
>>>> > Hi ZmnSCPxj,
>>>> >
>>>> > Please note that I am not suggesting VDFs as a means to save energy,
>>>> but solely as a means to make the time between blocks more constant.
>>>> >
>>>> > Zac
>>>> >
>>>> >
>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
>>>> wrote:
>>>> >>
>>>> >> Good morning Zac,
>>>> >>
>>>> >> > VDFs might enable more constant block times, for instance by
>>>> having a two-step PoW:
>>>> >> >
>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
>>>> subject to difficulty adjustments similar to the as-is). As per the
>>>> property of VDFs, miners are able show proof of work.
>>>> >> >
>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>>>> block takes 1 minute on average, again subject to as-is difficulty
>>>> adjustments.
>>>> >> >
>>>> >> > As a result, variation in block times will be greatly reduced.
>>>> >>
>>>> >> As I understand it, another weakness of VDFs is that they are not
>>>> inherently progress-free (their sequential nature prevents that; they are
>>>> inherently progress-requiring).
>>>> >>
>>>> >> Thus, a miner which focuses on improving the amount of energy that
>>>> it can pump into the VDF circuitry (by overclocking and freezing the
>>>> circuitry), could potentially get into a winner-takes-all situation,
>>>> possibly leading to even *worse* competition and even *more* energy
>>>> consumption.
>>>> >> After all, if you can start mining 0.1s faster than the competition,
>>>> that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>> >>
>>>> >> Regards,
>>>> >> ZmnSCPxj
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>>
>>>
>>> --
>>> Michael Dubrovsky
>>> Founder; PoWx
>>> www.PoWx.org <http://www.powx.org/>
>>>
>>
>>
>> --
>> Michael Dubrovsky
>> Founder; PoWx
>> www.PoWx.org <http://www.powx.org/>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 14195 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-21 0:04 ` Billy Tetrud
2021-05-21 9:42 ` vizeet srivastava
@ 2021-05-21 20:57 ` Erik Aronesty
2021-05-21 21:45 ` Billy Tetrud
2021-05-23 3:41 ` Lloyd Fournier
2 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-21 20:57 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
proof of burn has all the benefits of proof of stake (if there are any)
but it also solves the "nothing at stake" problem
the incentive in POB is that you're making a long-term investment in
mining, and you want a stable protocol, quality network, etc.... to
pay off your investment.
On Thu, May 20, 2021 at 8:04 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>
> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>
> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>
> > Proof-of-stake tends towards oligopolistic control
>
> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>
> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>
> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>
> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>
> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>
> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>
> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>
> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>
> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>
> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>
> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>
>
> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>
>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>
>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>
>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>
>>> Cheers,
>>> Mike
>>>
>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>
>>>> 1. i never suggested vdf's to replace pow.
>>>>
>>>> 2. my suggestion was specifically *in the context of* a working
>>>> proof-of-burn protocol
>>>>
>>>> - vdfs used only for timing (not block height)
>>>> - blind-burned coins of a specific age used to replace proof of work
>>>> - the required "work" per block would simply be a competition to
>>>> acquire rewards, and so miners would have to burn coins, well in
>>>> advance, and hope that their burned coins got rewarded in some far
>>>> future
>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>> value gained from proof of work... without some of the security
>>>> drawbacks
>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>> losing their work in each block)
>>>> - new burns can't be used
>>>> - old burns age out (like ASICs do)
>>>> - other requirements on burns might be needed to properly mirror the
>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>
>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>> might be more secure in the long run, and that if the entire space
>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>> up, and a hard-fork could be initiated.
>>>>
>>>> 4. i would never suggest such a thing unless i believed it was
>>>> possible that consensus was possible. so no, this is not an "alt
>>>> coin"
>>>>
>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>> >
>>>> > Hi ZmnSCPxj,
>>>> >
>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>> >
>>>> > Zac
>>>> >
>>>> >
>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>> >>
>>>> >> Good morning Zac,
>>>> >>
>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>> >> >
>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>> >> >
>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>> >> >
>>>> >> > As a result, variation in block times will be greatly reduced.
>>>> >>
>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>> >>
>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>> >>
>>>> >> Regards,
>>>> >> ZmnSCPxj
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>>>
>>> --
>>> Michael Dubrovsky
>>> Founder; PoWx
>>> www.PoWx.org
>>
>>
>>
>> --
>> Michael Dubrovsky
>> Founder; PoWx
>> www.PoWx.org
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-21 20:57 ` Erik Aronesty
@ 2021-05-21 21:45 ` Billy Tetrud
0 siblings, 0 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-05-21 21:45 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 11419 bytes --]
@Erik
> it also solves the "nothing at stake" problem
A. the "nothing at stake" problem can be and has been solved by PoS
consensus mechanisms (unless you mean it more broadly than I'm taking it),
and B. Proof of Burn should have just as much "nothing at stake" issues as
PoS. Both consensus mechanisms depend on the current state of the chain to
determine whether someone's stake or burn would allow the creation of a
block. But I am curious, how does proof of burn solve the "nothing at
stake" problem in your view?
On Fri, May 21, 2021 at 10:58 AM Erik Aronesty <erik@q32.com> wrote:
> proof of burn has all the benefits of proof of stake (if there are any)
>
> but it also solves the "nothing at stake" problem
>
> the incentive in POB is that you're making a long-term investment in
> mining, and you want a stable protocol, quality network, etc.... to
> pay off your investment.
>
> On Thu, May 20, 2021 at 8:04 PM Billy Tetrud <billy.tetrud@gmail.com>
> wrote:
> >
> > I think there is a lot of misinformation and bias against Proof of
> Stake. Yes there have been lots of shady coins that use insecure PoS
> mechanisms. Yes there have been massive issues with distribution of PoS
> coins (of course there have also been massive issues with PoW coins as
> well). However, I want to remind everyone that there is a difference
> between "proved to be impossible" and "have not achieved recognized success
> yet". Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
> >
> > @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> > * The capital required to 51% attack a PoS chain can be made
> substantially greater than on a PoS chain.
> > * The capital the attacker stands to lose can be substantially greater
> as well if the attack is successful.
> > * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> > * Allowing a 51% attack is already unacceptable. It should be considered
> whether what happens in the case of a 51% may not be significantly
> different. The currency would likely be critically damaged in a 51% attack
> regardless of consensus mechanism.
> >
> > > Proof-of-stake tends towards oligopolistic control
> >
> > People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
> >
> > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> >
> > I certainly agree. Bitcoin's energy usage at the moment is I think quite
> warranted. However, the question is: can we do substantially better. I
> think if we can, we probably should... eventually.
> >
> > > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> >
> > I see no mention of this in the pos.pdf you linked to. I'm not aware of
> any proof that all PoS systems have a failure threshold of 1/3. I know that
> staking systems like Casper do in fact have that 1/3 requirement. However
> there are PoS designs that should exceed that up to nearly 50% as far as
> I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold
> in the way you would think. IE, if 100% of miners are currently honest and
> have a collective 100 exahashes/s hashpower, an attacker does not need to
> obtain 100 exahashes/s, but actually only needs to accumulate 50
> exahashes/s. This is because as the attacker accumulates hashpower, it
> drives honest miners out of the market as the difficulty increases to
> beyond what is economically sustainable. Also, its been shown that the best
> proof of work can do is require an attacker to obtain 33% of the hashpower
> because of the selfish mining attack discussed in depth in this paper:
> https://arxiv.org/abs/1311.0243. Together, both of these things reduce
> PoW's security by a factor of about 83% (1 - 50%*33%).
> >
> > > Proof of Stake requires other trade-offs which are incompatible with
> Bitcoin's objective (to be a trustless digital cash) — specifically the
> famous "security vs. liveness" guarantee
> >
> > Do you have a good source that talks about why you think proof of stake
> cannot be used for a trustless digital cash?
> >
> > > You cannot gain tokens without someone choosing to give up those coins
> - a form of permission.
> >
> > This is not a practical constraint. Just like in mining, some nodes may
> reject you, but there will likely be more that will accept you, some
> sellers may reject you, but most would accept your money as payment for
> bitcoins. I don't think requiring the "permission" of one of millions of
> people in the market can be reasonably considered a "permissioned currency".
> >
> > > 2. Proof of stake must have a trusted means of timestamping to
> regulate overproduction of blocks
> >
> > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed
> to double their clock speeds. Both systems rely on an honest majority
> sticking to standard time.
> >
> >
> > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >> Ah sorry, I didn't realize this was, in fact, a different thread! :)
> >>
> >> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org>
> wrote:
> >>>
> >>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
> itself. PoS, VDFs, and so on are interesting but I guess there are other
> threads going on these topics already where they would be relevant.
> >>>
> >>> Also, it's important to distinguish between oPoW and these other
> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
> the core game theory or security assumptions of Hashcash and actually
> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> >>>
> >>> Cheers,
> >>> Mike
> >>>
> >>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>>>
> >>>> 1. i never suggested vdf's to replace pow.
> >>>>
> >>>> 2. my suggestion was specifically *in the context of* a working
> >>>> proof-of-burn protocol
> >>>>
> >>>> - vdfs used only for timing (not block height)
> >>>> - blind-burned coins of a specific age used to replace proof of work
> >>>> - the required "work" per block would simply be a competition to
> >>>> acquire rewards, and so miners would have to burn coins, well in
> >>>> advance, and hope that their burned coins got rewarded in some far
> >>>> future
> >>>> - the point of burned coins is to mimic, in every meaningful way, the
> >>>> value gained from proof of work... without some of the security
> >>>> drawbacks
> >>>> - the miner risks losing all of his burned coins (like all miners risk
> >>>> losing their work in each block)
> >>>> - new burns can't be used
> >>>> - old burns age out (like ASICs do)
> >>>> - other requirements on burns might be needed to properly mirror the
> >>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
> >>>>
> >>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
> >>>> might be more secure in the long run, and that if the entire space
> >>>> agreed that such an endeavor was worthwhile, a test net could be spun
> >>>> up, and a hard-fork could be initiated.
> >>>>
> >>>> 4. i would never suggest such a thing unless i believed it was
> >>>> possible that consensus was possible. so no, this is not an "alt
> >>>> coin"
> >>>>
> >>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
> wrote:
> >>>> >
> >>>> > Hi ZmnSCPxj,
> >>>> >
> >>>> > Please note that I am not suggesting VDFs as a means to save
> energy, but solely as a means to make the time between blocks more constant.
> >>>> >
> >>>> > Zac
> >>>> >
> >>>> >
> >>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
> wrote:
> >>>> >>
> >>>> >> Good morning Zac,
> >>>> >>
> >>>> >> > VDFs might enable more constant block times, for instance by
> having a two-step PoW:
> >>>> >> >
> >>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
> subject to difficulty adjustments similar to the as-is). As per the
> property of VDFs, miners are able show proof of work.
> >>>> >> >
> >>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
> block takes 1 minute on average, again subject to as-is difficulty
> adjustments.
> >>>> >> >
> >>>> >> > As a result, variation in block times will be greatly reduced.
> >>>> >>
> >>>> >> As I understand it, another weakness of VDFs is that they are not
> inherently progress-free (their sequential nature prevents that; they are
> inherently progress-requiring).
> >>>> >>
> >>>> >> Thus, a miner which focuses on improving the amount of energy that
> it can pump into the VDF circuitry (by overclocking and freezing the
> circuitry), could potentially get into a winner-takes-all situation,
> possibly leading to even *worse* competition and even *more* energy
> consumption.
> >>>> >> After all, if you can start mining 0.1s faster than the
> competition, that is a 0.1s advantage where *only you* can mine *in the
> entire world*.
> >>>> >>
> >>>> >> Regards,
> >>>> >> ZmnSCPxj
> >>>> _______________________________________________
> >>>> bitcoin-dev mailing list
> >>>> bitcoin-dev@lists.linuxfoundation.org
> >>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >>>
> >>>
> >>>
> >>> --
> >>> Michael Dubrovsky
> >>> Founder; PoWx
> >>> www.PoWx.org
> >>
> >>
> >>
> >> --
> >> Michael Dubrovsky
> >> Founder; PoWx
> >> www.PoWx.org
> >> _______________________________________________
> >> bitcoin-dev mailing list
> >> bitcoin-dev@lists.linuxfoundation.org
> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 14215 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-21 0:04 ` Billy Tetrud
2021-05-21 9:42 ` vizeet srivastava
2021-05-21 20:57 ` Erik Aronesty
@ 2021-05-23 3:41 ` Lloyd Fournier
2021-05-23 19:10 ` Billy Tetrud
` (2 more replies)
2 siblings, 3 replies; 67+ messages in thread
From: Lloyd Fournier @ 2021-05-23 3:41 UTC (permalink / raw)
To: Billy Tetrud, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 16837 bytes --]
Hi Billy,
I was going to write a post which started by dismissing many of the weak
arguments that are made against PoS made in this thread and elsewhere.
Although I don't agree with all your points you have done a decent job here
so I'll focus on the second part: why I think Proof-of-Stake is
inappropriate for a Bitcoin-like system.
Proof of stake is not fit for purpose for a global settlement layer in a
pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
be.
PoS necessarily gives responsibilities to the holders of coins that they do
not want and cannot handle.
In Bitcoin, large unsophisticated coin holders can put their coins in cold
storage without a second thought given to the health of the underlying
ledger.
As much as hardcore Bitcoiners try to convince them to run their own node,
most don't, and that's perfectly acceptable.
At no point do their personal decisions affect the underlying consensus --
it only affects their personal security assurance (not that of the system
itself).
In PoS systems this clean separation of responsibilities does not exist.
I think that the more rigorously studied PoS protocols will work fine
within the security claims made in their papers.
People who believe that these protocols are destined for catastrophic
consensus failure are certainly in for a surprise.
But the devil is in the detail.
Let's look at what the implications of using the leading proof of stake
protocols would have on Bitcoin:
### Proof of SquareSpace (Cardano, Polkdadot)
Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
inbuilt on-chain delegation system[5].
In these protocols, coin holders who do not want to run their node with
their hot keys in it delegate it to a "Stake Pool".
I call the resulting system Proof-of-SquareSpace since most will choose a
pool by looking around for one with a nice website and offering the largest
share of the block reward.
On the surface this might sound no different than someone with an mining
rig shopping around for a good mining pool but there are crucial
differences:
1. The person making the decision is forced into it just because they own
the currency -- someone with a mining rig has purchased it with the intent
to make profit by participating in consensus.
2. When you join a mining pool your systems are very much still online. You
are just partaking in a pool to reduce your profit variance. You still see
every block that you help create and *you never help create a block without
seeing it first*.
3. If by SquareSpace sybil attack you gain a dishonest majority and start
censoring transactions how are the users meant to redelegate their stake to
honest pools?
I guess they can just send a transaction delegating to another pool...oh
wait I guess that might be censored too! This seems really really bad.
In Bitcoin, miners can just join a different pool at a whim. There is
nothing the attacker can do to stop them. A temporary dishonest majority
heals relatively well.
There is another severe disadvantage to this on-chain delegation system:
every UTXO must indicate which staking account this UTXO belongs to so the
appropriate share of block rewards can be transferred there.
Being able to associate every UTXO to an account ruins one of the main
privacy advantages of the UTXO model.
It also grows the size of the blockchain significantly.
### "Pure" proof of stake (Algorand)
Algorand's[4] approach is to only allow online stake to participate in the
protocol.
Theoretically, This means that keys holding funds have to be online in
order for them to author blocks when they are chosen.
Of course in reality no one wants to keep their coin holding keys online so
in Alogorand you can authorize a set of "participation keys"[1] that will
be used to create blocks on your coin holding key's behalf.
Hopefully you've spotted the problem.
You can send your participation keys to any malicious party with a nice
website (see random example [2]) offering you a good return.
Damn it's still Proof-of-SquareSpace!
The minor advantage is that at least the participation keys expire after a
certain amount of time so eventually the SquareSpace attacker will lose
their hold on consensus.
Importantly there is also less junk on the blockchain because the
participation keys are delegated off-chain and so are not making as much of
a mess.
### Conclusion
I don't see a way to get around the conflicting requirement that the keys
for large amounts of coins should be kept offline but those are exactly the
coins we need online to make the scheme secure.
If we allow delegation then we open up a new social attack surface and it
degenerates to Proof-of-SquareSpace.
For a "digital gold" like system like Bitcoin we optimize for simplicity
and desperately want to avoid extraneous responsibilities for the holder of
the coin.
After all, gold is an inert element on the periodic table that doesn't
confer responsibilities on the holder to maintain the quality of all the
other bars of gold out there.
Bitcoin feels like this too and in many ways is more inert and beautifully
boring than gold.
For Bitcoin to succeed I think we need to keep it that way and
Proof-of-Stake makes everything a bit too exciting.
I suppose in the end the market will decide what is real digital gold and
whether these bad technical trade offs are worth being able to say it uses
less electricity. It goes without saying that making bad technical
decisions to appease the current political climate is an anathema to
Bitcoin.
Would be interested to know if you or others think differently on these
points.
[1]:
https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
[2]: https://staking.staked.us/algorand-staking
[3]: https://eprint.iacr.org/2017/573.pdf
[4]:
https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
[5]:
https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
Cheers,
LL
On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> I think there is a lot of misinformation and bias against Proof of Stake.
> Yes there have been lots of shady coins that use insecure PoS mechanisms.
> Yes there have been massive issues with distribution of PoS coins (of
> course there have also been massive issues with PoW coins as well).
> However, I want to remind everyone that there is a difference between
> "proved to be impossible" and "have not achieved recognized success yet".
> Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
>
> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> * The capital required to 51% attack a PoS chain can be made substantially
> greater than on a PoS chain.
> * The capital the attacker stands to lose can be substantially greater as
> well if the attack is successful.
> * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> * Allowing a 51% attack is already unacceptable. It should be considered
> whether what happens in the case of a 51% may not be significantly
> different. The currency would likely be critically damaged in a 51% attack
> regardless of consensus mechanism.
>
> > Proof-of-stake tends towards oligopolistic control
>
> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
>
> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>
> I certainly agree. Bitcoin's energy usage at the moment is I think quite
> warranted. However, the question is: can we do substantially better. I
> think if we can, we probably should... eventually.
>
> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>
> I see no mention of this in the pos.pdf
> <https://download.wpsoftware.net/bitcoin/pos.pdf> you linked to. I'm not
> aware of any proof that *all *PoS systems have a failure threshold of
> 1/3. I know that staking systems like Casper do in fact have that 1/3
> requirement. However there are PoS designs that should exceed that up to
> nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
> to the 1/2 threshold in the way you would think. IE, if 100% of miners are
> currently honest and have a collective 100 exahashes/s hashpower, an
> attacker does not need to obtain 100 exahashes/s, but actually only needs
> to accumulate 50 exahashes/s. This is because as the attacker accumulates
> hashpower, it drives honest miners out of the market as the difficulty
> increases to beyond what is economically sustainable. Also, its been shown
> that the best proof of work can do is require an attacker to obtain 33% of
> the hashpower because of the selfish mining attack
> <https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#the-selfish-economic-attack> discussed
> in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both
> of these things reduce PoW's security by a factor of about 83% (1 -
> 50%*33%).
>
> > Proof of Stake requires other trade-offs which are incompatible with
> Bitcoin's objective (to be a trustless digital cash) — specifically the
> famous "security vs. liveness" guarantee
>
> Do you have a good source that talks about why you think proof of stake
> cannot be used for a trustless digital cash?
>
> > You cannot gain tokens without someone choosing to give up those coins -
> a form of permission.
>
> This is not a practical constraint. Just like in mining, some nodes may
> reject you, but there will likely be more that will accept you, some
> sellers may reject you, but most would accept your money as payment for
> bitcoins. I don't think requiring the "permission" of one of millions of
> people in the market can be reasonably considered a "permissioned
> currency".
>
> > 2. Proof of stake must have a trusted means of timestamping to regulate
> overproduction of blocks
>
> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed
> to double their clock speeds. Both systems rely on an honest majority
> sticking to standard time.
>
>
> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>
>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>
>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
>>> itself. PoS, VDFs, and so on are interesting but I guess there are other
>>> threads going on these topics already where they would be relevant.
>>>
>>> Also, it's important to distinguish between oPoW and these other
>>> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
>>> the core game theory or security assumptions of Hashcash and actually
>>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>
>>> Cheers,
>>> Mike
>>>
>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>> 1. i never suggested vdf's to replace pow.
>>>>
>>>> 2. my suggestion was specifically *in the context of* a working
>>>> proof-of-burn protocol
>>>>
>>>> - vdfs used only for timing (not block height)
>>>> - blind-burned coins of a specific age used to replace proof of work
>>>> - the required "work" per block would simply be a competition to
>>>> acquire rewards, and so miners would have to burn coins, well in
>>>> advance, and hope that their burned coins got rewarded in some far
>>>> future
>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>> value gained from proof of work... without some of the security
>>>> drawbacks
>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>> losing their work in each block)
>>>> - new burns can't be used
>>>> - old burns age out (like ASICs do)
>>>> - other requirements on burns might be needed to properly mirror the
>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>
>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>> might be more secure in the long run, and that if the entire space
>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>> up, and a hard-fork could be initiated.
>>>>
>>>> 4. i would never suggest such a thing unless i believed it was
>>>> possible that consensus was possible. so no, this is not an "alt
>>>> coin"
>>>>
>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
>>>> wrote:
>>>> >
>>>> > Hi ZmnSCPxj,
>>>> >
>>>> > Please note that I am not suggesting VDFs as a means to save energy,
>>>> but solely as a means to make the time between blocks more constant.
>>>> >
>>>> > Zac
>>>> >
>>>> >
>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
>>>> wrote:
>>>> >>
>>>> >> Good morning Zac,
>>>> >>
>>>> >> > VDFs might enable more constant block times, for instance by
>>>> having a two-step PoW:
>>>> >> >
>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
>>>> subject to difficulty adjustments similar to the as-is). As per the
>>>> property of VDFs, miners are able show proof of work.
>>>> >> >
>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>>>> block takes 1 minute on average, again subject to as-is difficulty
>>>> adjustments.
>>>> >> >
>>>> >> > As a result, variation in block times will be greatly reduced.
>>>> >>
>>>> >> As I understand it, another weakness of VDFs is that they are not
>>>> inherently progress-free (their sequential nature prevents that; they are
>>>> inherently progress-requiring).
>>>> >>
>>>> >> Thus, a miner which focuses on improving the amount of energy that
>>>> it can pump into the VDF circuitry (by overclocking and freezing the
>>>> circuitry), could potentially get into a winner-takes-all situation,
>>>> possibly leading to even *worse* competition and even *more* energy
>>>> consumption.
>>>> >> After all, if you can start mining 0.1s faster than the competition,
>>>> that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>> >>
>>>> >> Regards,
>>>> >> ZmnSCPxj
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>>
>>>
>>> --
>>> Michael Dubrovsky
>>> Founder; PoWx
>>> www.PoWx.org <http://www.powx.org/>
>>>
>>
>>
>> --
>> Michael Dubrovsky
>> Founder; PoWx
>> www.PoWx.org <http://www.powx.org/>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 20698 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-23 3:41 ` Lloyd Fournier
@ 2021-05-23 19:10 ` Billy Tetrud
2021-05-23 19:28 ` Billy Tetrud
2021-05-24 13:47 ` Erik Aronesty
2021-06-15 11:13 ` James MacWhyte
2 siblings, 1 reply; 67+ messages in thread
From: Billy Tetrud @ 2021-05-23 19:10 UTC (permalink / raw)
To: Lloyd Fournier; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 21420 bytes --]
@Lloyd
> Proof-of-SquareSpace
I agree with your points about delegated proof of stake. I wrote my own
critique about that
<https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#analysis-of-delegated-proof-of-stake-dpos>
as
well. And your point, that other forms of PoS devolve to DPoS by virtue of
people wanting to actively mint blocks without exposing their coins in hot
wallets, is an interesting one.
> how are the users meant to redelegate their stake to honest pools?
This could be mitigated partially if delegation didn't require any kind of
blockchain transaction. For example, users could simply send a signed
message saying "this other key can mint blocks with my coins", and then
minting a block using those coins would require presenting the delegation
signature. This only partially mitigates the problem since the dishonest
pool would still be able to use those coins as well, so it would be a race
at that point. Still better than nothing. And pools could simply require
full custody of the coins.
From what you mentioned, it sounds like maybe Algorand does something
similar to this.
> I don't see a way to get around the conflicting requirement that the keys
for large amounts of coins should be kept offline but those are exactly the
coins we need online to make the scheme secure.
There are a couple solutions you didn't mention. One is your "traditional"
locked-stake kind of systems, where participants are required to lock their
stake for long periods of time. Since normal users aren't likely to want to
do this, it will likely be left to more sophisticated stakers likely
staking very large amounts.
Both mechanisms you mentioned allow delegation, and it might seem like
maybe there'd be a way to disallow delegation, however since users can
always give custody of their coins to trusted pools, that would be a
delgation mechanism of last resort that can't be removed. So you can do
things that make it hard (for both users and pool operators) to delegate
trustlessly, but you can't get rid of the ability to delgate entirely.
In general, the situations where I see people not pooling are:
A. They are entirely prevented by technical means. It seems reasonably
clear that this is impossible.
B. The downsides are more than unsophisticated users are willing to incur
(eg stake locking).
C. The rewards are so small that it isn't worth it for people to put in
much effort to gain them.
D. The rewards are so frequent that pooling is unnecessary.
B excludes a lot of people from being able to help secure the chain, but
this is not materially different from PoW mining in that regard. D is a bit
border line. With 1 billion people attempting to participate and 10 minute
blocks, 232 people would need to share the block reward in order to expect
a payout on average once per month. With 8 billion people that would turn
into more like 1700 people. This seems potentially doable (eg via cosigner
requirements on minted blocks), but it is a lot of participants per block.
I think options C and D combined would be an ideal approach here. Because
minting uses very few real resources, minting could be pretty much have
arbitrarily low ongoing costs. This means fees can be low and blocks can
have low payouts. If the reward was low and people could expect to see it
once every couple years, people could simply treat it like a lottery. Great
if they win it now, but nothing that anyone needs to rely on (which would
incentivize the pools to reduce variance that we want to avoid). If there
is no locked stake or other major barriers in place to minting blocks, that
would also help avoid the compultion to use a pool.
In any case, you bring up good points, and they certainly complicate the
issue. By the way, if you were confused as to what VPoS was in the section
from my above link, this might satisfy your curiosity
<https://github.com/fresheneesz/ValidatedProofOfStake>.
Cheers
On Sat, May 22, 2021 at 5:41 PM Lloyd Fournier <lloyd.fourn@gmail.com>
wrote:
> Hi Billy,
>
> I was going to write a post which started by dismissing many of the weak
> arguments that are made against PoS made in this thread and elsewhere.
> Although I don't agree with all your points you have done a decent job
> here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
>
> Proof of stake is not fit for purpose for a global settlement layer in a
> pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
> be.
> PoS necessarily gives responsibilities to the holders of coins that they
> do not want and cannot handle.
> In Bitcoin, large unsophisticated coin holders can put their coins in cold
> storage without a second thought given to the health of the underlying
> ledger.
> As much as hardcore Bitcoiners try to convince them to run their own node,
> most don't, and that's perfectly acceptable.
> At no point do their personal decisions affect the underlying consensus --
> it only affects their personal security assurance (not that of the system
> itself).
> In PoS systems this clean separation of responsibilities does not exist.
>
> I think that the more rigorously studied PoS protocols will work fine
> within the security claims made in their papers.
> People who believe that these protocols are destined for catastrophic
> consensus failure are certainly in for a surprise.
> But the devil is in the detail.
> Let's look at what the implications of using the leading proof of stake
> protocols would have on Bitcoin:
>
> ### Proof of SquareSpace (Cardano, Polkdadot)
>
> Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
> inbuilt on-chain delegation system[5].
> In these protocols, coin holders who do not want to run their node with
> their hot keys in it delegate it to a "Stake Pool".
> I call the resulting system Proof-of-SquareSpace since most will choose a
> pool by looking around for one with a nice website and offering the largest
> share of the block reward.
> On the surface this might sound no different than someone with an mining
> rig shopping around for a good mining pool but there are crucial
> differences:
>
> 1. The person making the decision is forced into it just because they own
> the currency -- someone with a mining rig has purchased it with the intent
> to make profit by participating in consensus.
>
> 2. When you join a mining pool your systems are very much still online.
> You are just partaking in a pool to reduce your profit variance. You still
> see every block that you help create and *you never help create a block
> without seeing it first*.
>
> 3. If by SquareSpace sybil attack you gain a dishonest majority and start
> censoring transactions how are the users meant to redelegate their stake to
> honest pools?
> I guess they can just send a transaction delegating to another pool...oh
> wait I guess that might be censored too! This seems really really bad.
> In Bitcoin, miners can just join a different pool at a whim. There is
> nothing the attacker can do to stop them. A temporary dishonest majority
> heals relatively well.
>
> There is another severe disadvantage to this on-chain delegation system:
> every UTXO must indicate which staking account this UTXO belongs to so the
> appropriate share of block rewards can be transferred there.
> Being able to associate every UTXO to an account ruins one of the main
> privacy advantages of the UTXO model.
> It also grows the size of the blockchain significantly.
>
> ### "Pure" proof of stake (Algorand)
>
> Algorand's[4] approach is to only allow online stake to participate in the
> protocol.
> Theoretically, This means that keys holding funds have to be online in
> order for them to author blocks when they are chosen.
> Of course in reality no one wants to keep their coin holding keys online
> so in Alogorand you can authorize a set of "participation keys"[1] that
> will be used to create blocks on your coin holding key's behalf.
> Hopefully you've spotted the problem.
> You can send your participation keys to any malicious party with a nice
> website (see random example [2]) offering you a good return.
> Damn it's still Proof-of-SquareSpace!
> The minor advantage is that at least the participation keys expire after a
> certain amount of time so eventually the SquareSpace attacker will lose
> their hold on consensus.
> Importantly there is also less junk on the blockchain because the
> participation keys are delegated off-chain and so are not making as much of
> a mess.
>
> ### Conclusion
>
> I don't see a way to get around the conflicting requirement that the keys
> for large amounts of coins should be kept offline but those are exactly the
> coins we need online to make the scheme secure.
> If we allow delegation then we open up a new social attack surface and it
> degenerates to Proof-of-SquareSpace.
>
> For a "digital gold" like system like Bitcoin we optimize for simplicity
> and desperately want to avoid extraneous responsibilities for the holder of
> the coin.
> After all, gold is an inert element on the periodic table that doesn't
> confer responsibilities on the holder to maintain the quality of all the
> other bars of gold out there.
> Bitcoin feels like this too and in many ways is more inert and beautifully
> boring than gold.
> For Bitcoin to succeed I think we need to keep it that way and
> Proof-of-Stake makes everything a bit too exciting.
>
> I suppose in the end the market will decide what is real digital gold and
> whether these bad technical trade offs are worth being able to say it uses
> less electricity. It goes without saying that making bad technical
> decisions to appease the current political climate is an anathema to
> Bitcoin.
>
> Would be interested to know if you or others think differently on these
> points.
>
> [1]:
> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
> [2]: https://staking.staked.us/algorand-staking
> [3]: https://eprint.iacr.org/2017/573.pdf
> [4]:
> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
> [5]:
> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>
> Cheers,
>
> LL
>
> On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> I think there is a lot of misinformation and bias against Proof of Stake.
>> Yes there have been lots of shady coins that use insecure PoS mechanisms.
>> Yes there have been massive issues with distribution of PoS coins (of
>> course there have also been massive issues with PoW coins as well).
>> However, I want to remind everyone that there is a difference between
>> "proved to be impossible" and "have not achieved recognized success yet".
>> Most of the arguments levied against PoS are out of date or rely on
>> unproven assumptions or extrapolation from the analysis of a particular PoS
>> system. I certainly don't think we should experiment with bitcoin by
>> switching to PoS, but from my research, it seems very likely that there is
>> a proof of stake consensus protocol we could build that has substantially
>> higher security (cost / capital required to execute an attack) while at the
>> same time costing far less resources (which do translate to fees on the
>> network) *without* compromising any of the critical security properties
>> bitcoin relies on. I think the critical piece of this is the disagreements
>> around hardcoded checkpoints, which is a critical piece solving attacks
>> that could be levied on a PoS chain, and how that does (or doesn't) affect
>> the security model.
>>
>> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
>> when a 51% attack happens. While I agree, I think that line of thinking
>> omits important facts:
>> * The capital required to 51% attack a PoS chain can be made
>> substantially greater than on a PoS chain.
>> * The capital the attacker stands to lose can be substantially greater as
>> well if the attack is successful.
>> * The effectiveness of paying miners to raise the honest fraction of
>> miners above 50% may be quite bad.
>> * Allowing a 51% attack is already unacceptable. It should be considered
>> whether what happens in the case of a 51% may not be significantly
>> different. The currency would likely be critically damaged in a 51% attack
>> regardless of consensus mechanism.
>>
>> > Proof-of-stake tends towards oligopolistic control
>>
>> People repeat this often, but the facts support this. There is no
>> centralization pressure in any proof of stake mechanism that I'm aware of.
>> IE if you have 10 times as much coin that you use to mint blocks, you
>> should expect to earn 10x as much minting revenue - not more than 10x. By
>> contrast, proof of work does in fact have clear centralization pressure -
>> this is not disputed. Our goal in relation to that is to ensure that the
>> centralization pressure remains insignifiant. Proof of work also clearly
>> has a lot more barriers to entry than any proof of stake system does. Both
>> of these mean the tendency towards oligopolistic control is worse for PoW.
>>
>> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>
>> I certainly agree. Bitcoin's energy usage at the moment is I think quite
>> warranted. However, the question is: can we do substantially better. I
>> think if we can, we probably should... eventually.
>>
>> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
>> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>
>> I see no mention of this in the pos.pdf
>> <https://download.wpsoftware.net/bitcoin/pos.pdf> you linked to. I'm not
>> aware of any proof that *all *PoS systems have a failure threshold of
>> 1/3. I know that staking systems like Casper do in fact have that 1/3
>> requirement. However there are PoS designs that should exceed that up to
>> nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
>> to the 1/2 threshold in the way you would think. IE, if 100% of miners are
>> currently honest and have a collective 100 exahashes/s hashpower, an
>> attacker does not need to obtain 100 exahashes/s, but actually only needs
>> to accumulate 50 exahashes/s. This is because as the attacker accumulates
>> hashpower, it drives honest miners out of the market as the difficulty
>> increases to beyond what is economically sustainable. Also, its been shown
>> that the best proof of work can do is require an attacker to obtain 33% of
>> the hashpower because of the selfish mining attack
>> <https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#the-selfish-economic-attack> discussed
>> in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both
>> of these things reduce PoW's security by a factor of about 83% (1 -
>> 50%*33%).
>>
>> > Proof of Stake requires other trade-offs which are incompatible with
>> Bitcoin's objective (to be a trustless digital cash) — specifically the
>> famous "security vs. liveness" guarantee
>>
>> Do you have a good source that talks about why you think proof of stake
>> cannot be used for a trustless digital cash?
>>
>> > You cannot gain tokens without someone choosing to give up those coins
>> - a form of permission.
>>
>> This is not a practical constraint. Just like in mining, some nodes may
>> reject you, but there will likely be more that will accept you, some
>> sellers may reject you, but most would accept your money as payment for
>> bitcoins. I don't think requiring the "permission" of one of millions of
>> people in the market can be reasonably considered a "permissioned
>> currency".
>>
>> > 2. Proof of stake must have a trusted means of timestamping to regulate
>> overproduction of blocks
>>
>> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed
>> to double their clock speeds. Both systems rely on an honest majority
>> sticking to standard time.
>>
>>
>> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>
>>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org>
>>> wrote:
>>>
>>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
>>>> itself. PoS, VDFs, and so on are interesting but I guess there are other
>>>> threads going on these topics already where they would be relevant.
>>>>
>>>> Also, it's important to distinguish between oPoW and these other
>>>> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
>>>> the core game theory or security assumptions of Hashcash and actually
>>>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>>
>>>> Cheers,
>>>> Mike
>>>>
>>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
>>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>
>>>>> 1. i never suggested vdf's to replace pow.
>>>>>
>>>>> 2. my suggestion was specifically *in the context of* a working
>>>>> proof-of-burn protocol
>>>>>
>>>>> - vdfs used only for timing (not block height)
>>>>> - blind-burned coins of a specific age used to replace proof of work
>>>>> - the required "work" per block would simply be a competition to
>>>>> acquire rewards, and so miners would have to burn coins, well in
>>>>> advance, and hope that their burned coins got rewarded in some far
>>>>> future
>>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>>> value gained from proof of work... without some of the security
>>>>> drawbacks
>>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>>> losing their work in each block)
>>>>> - new burns can't be used
>>>>> - old burns age out (like ASICs do)
>>>>> - other requirements on burns might be needed to properly mirror the
>>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>>
>>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>>> might be more secure in the long run, and that if the entire space
>>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>>> up, and a hard-fork could be initiated.
>>>>>
>>>>> 4. i would never suggest such a thing unless i believed it was
>>>>> possible that consensus was possible. so no, this is not an "alt
>>>>> coin"
>>>>>
>>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
>>>>> wrote:
>>>>> >
>>>>> > Hi ZmnSCPxj,
>>>>> >
>>>>> > Please note that I am not suggesting VDFs as a means to save energy,
>>>>> but solely as a means to make the time between blocks more constant.
>>>>> >
>>>>> > Zac
>>>>> >
>>>>> >
>>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
>>>>> wrote:
>>>>> >>
>>>>> >> Good morning Zac,
>>>>> >>
>>>>> >> > VDFs might enable more constant block times, for instance by
>>>>> having a two-step PoW:
>>>>> >> >
>>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
>>>>> subject to difficulty adjustments similar to the as-is). As per the
>>>>> property of VDFs, miners are able show proof of work.
>>>>> >> >
>>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>>>>> block takes 1 minute on average, again subject to as-is difficulty
>>>>> adjustments.
>>>>> >> >
>>>>> >> > As a result, variation in block times will be greatly reduced.
>>>>> >>
>>>>> >> As I understand it, another weakness of VDFs is that they are not
>>>>> inherently progress-free (their sequential nature prevents that; they are
>>>>> inherently progress-requiring).
>>>>> >>
>>>>> >> Thus, a miner which focuses on improving the amount of energy that
>>>>> it can pump into the VDF circuitry (by overclocking and freezing the
>>>>> circuitry), could potentially get into a winner-takes-all situation,
>>>>> possibly leading to even *worse* competition and even *more* energy
>>>>> consumption.
>>>>> >> After all, if you can start mining 0.1s faster than the
>>>>> competition, that is a 0.1s advantage where *only you* can mine *in the
>>>>> entire world*.
>>>>> >>
>>>>> >> Regards,
>>>>> >> ZmnSCPxj
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>>
>>>>
>>>> --
>>>> Michael Dubrovsky
>>>> Founder; PoWx
>>>> www.PoWx.org <http://www.powx.org/>
>>>>
>>>
>>>
>>> --
>>> Michael Dubrovsky
>>> Founder; PoWx
>>> www.PoWx.org <http://www.powx.org/>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 25604 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-23 19:10 ` Billy Tetrud
@ 2021-05-23 19:28 ` Billy Tetrud
0 siblings, 0 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-05-23 19:28 UTC (permalink / raw)
To: Lloyd Fournier; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 22504 bytes --]
I made a couple typos and mistakes in my couple previous emails:
* "People repeat this often, but the facts support this" -> "the facts *don't
*support this"
* "Together, both of these things reduce PoW's security by a factor of
about 83% (1 - 50%*33%)." -> "factor of about 83% (1 - 50%**(50% - 33%)/50%*)."
(I made a mistake that happened to come out to an almost identical result
coincidentally).
* "And pools could simply require full custody of the coins." -> "*But *pools
could..."
On Sun, May 23, 2021 at 9:10 AM Billy Tetrud <billy.tetrud@gmail.com> wrote:
> @Lloyd
>
> > Proof-of-SquareSpace
>
> I agree with your points about delegated proof of stake. I wrote my own
> critique about that
> <https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#analysis-of-delegated-proof-of-stake-dpos> as
> well. And your point, that other forms of PoS devolve to DPoS by virtue of
> people wanting to actively mint blocks without exposing their coins in hot
> wallets, is an interesting one.
>
> > how are the users meant to redelegate their stake to honest pools?
>
> This could be mitigated partially if delegation didn't require any kind of
> blockchain transaction. For example, users could simply send a signed
> message saying "this other key can mint blocks with my coins", and then
> minting a block using those coins would require presenting the delegation
> signature. This only partially mitigates the problem since the dishonest
> pool would still be able to use those coins as well, so it would be a race
> at that point. Still better than nothing. And pools could simply require
> full custody of the coins.
>
> From what you mentioned, it sounds like maybe Algorand does something
> similar to this.
>
> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
>
> There are a couple solutions you didn't mention. One is your "traditional"
> locked-stake kind of systems, where participants are required to lock their
> stake for long periods of time. Since normal users aren't likely to want to
> do this, it will likely be left to more sophisticated stakers likely
> staking very large amounts.
>
> Both mechanisms you mentioned allow delegation, and it might seem like
> maybe there'd be a way to disallow delegation, however since users can
> always give custody of their coins to trusted pools, that would be a
> delgation mechanism of last resort that can't be removed. So you can do
> things that make it hard (for both users and pool operators) to delegate
> trustlessly, but you can't get rid of the ability to delgate entirely.
>
> In general, the situations where I see people not pooling are:
>
> A. They are entirely prevented by technical means. It seems reasonably
> clear that this is impossible.
> B. The downsides are more than unsophisticated users are willing to incur
> (eg stake locking).
> C. The rewards are so small that it isn't worth it for people to put in
> much effort to gain them.
> D. The rewards are so frequent that pooling is unnecessary.
>
> B excludes a lot of people from being able to help secure the chain, but
> this is not materially different from PoW mining in that regard. D is a bit
> border line. With 1 billion people attempting to participate and 10 minute
> blocks, 232 people would need to share the block reward in order to expect
> a payout on average once per month. With 8 billion people that would turn
> into more like 1700 people. This seems potentially doable (eg via cosigner
> requirements on minted blocks), but it is a lot of participants per block.
>
> I think options C and D combined would be an ideal approach here. Because
> minting uses very few real resources, minting could be pretty much have
> arbitrarily low ongoing costs. This means fees can be low and blocks can
> have low payouts. If the reward was low and people could expect to see it
> once every couple years, people could simply treat it like a lottery. Great
> if they win it now, but nothing that anyone needs to rely on (which would
> incentivize the pools to reduce variance that we want to avoid). If there
> is no locked stake or other major barriers in place to minting blocks, that
> would also help avoid the compultion to use a pool.
>
> In any case, you bring up good points, and they certainly complicate the
> issue. By the way, if you were confused as to what VPoS was in the section
> from my above link, this might satisfy your curiosity
> <https://github.com/fresheneesz/ValidatedProofOfStake>.
>
> Cheers
>
>
>
>
> On Sat, May 22, 2021 at 5:41 PM Lloyd Fournier <lloyd.fourn@gmail.com>
> wrote:
>
>> Hi Billy,
>>
>> I was going to write a post which started by dismissing many of the weak
>> arguments that are made against PoS made in this thread and elsewhere.
>> Although I don't agree with all your points you have done a decent job
>> here so I'll focus on the second part: why I think Proof-of-Stake is
>> inappropriate for a Bitcoin-like system.
>>
>> Proof of stake is not fit for purpose for a global settlement layer in a
>> pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
>> be.
>> PoS necessarily gives responsibilities to the holders of coins that they
>> do not want and cannot handle.
>> In Bitcoin, large unsophisticated coin holders can put their coins in
>> cold storage without a second thought given to the health of the underlying
>> ledger.
>> As much as hardcore Bitcoiners try to convince them to run their own
>> node, most don't, and that's perfectly acceptable.
>> At no point do their personal decisions affect the underlying consensus
>> -- it only affects their personal security assurance (not that of the
>> system itself).
>> In PoS systems this clean separation of responsibilities does not exist.
>>
>> I think that the more rigorously studied PoS protocols will work fine
>> within the security claims made in their papers.
>> People who believe that these protocols are destined for catastrophic
>> consensus failure are certainly in for a surprise.
>> But the devil is in the detail.
>> Let's look at what the implications of using the leading proof of stake
>> protocols would have on Bitcoin:
>>
>> ### Proof of SquareSpace (Cardano, Polkdadot)
>>
>> Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
>> inbuilt on-chain delegation system[5].
>> In these protocols, coin holders who do not want to run their node with
>> their hot keys in it delegate it to a "Stake Pool".
>> I call the resulting system Proof-of-SquareSpace since most will choose a
>> pool by looking around for one with a nice website and offering the largest
>> share of the block reward.
>> On the surface this might sound no different than someone with an mining
>> rig shopping around for a good mining pool but there are crucial
>> differences:
>>
>> 1. The person making the decision is forced into it just because they own
>> the currency -- someone with a mining rig has purchased it with the intent
>> to make profit by participating in consensus.
>>
>> 2. When you join a mining pool your systems are very much still online.
>> You are just partaking in a pool to reduce your profit variance. You still
>> see every block that you help create and *you never help create a block
>> without seeing it first*.
>>
>> 3. If by SquareSpace sybil attack you gain a dishonest majority and start
>> censoring transactions how are the users meant to redelegate their stake to
>> honest pools?
>> I guess they can just send a transaction delegating to another pool...oh
>> wait I guess that might be censored too! This seems really really bad.
>> In Bitcoin, miners can just join a different pool at a whim. There is
>> nothing the attacker can do to stop them. A temporary dishonest majority
>> heals relatively well.
>>
>> There is another severe disadvantage to this on-chain delegation system:
>> every UTXO must indicate which staking account this UTXO belongs to so the
>> appropriate share of block rewards can be transferred there.
>> Being able to associate every UTXO to an account ruins one of the main
>> privacy advantages of the UTXO model.
>> It also grows the size of the blockchain significantly.
>>
>> ### "Pure" proof of stake (Algorand)
>>
>> Algorand's[4] approach is to only allow online stake to participate in
>> the protocol.
>> Theoretically, This means that keys holding funds have to be online in
>> order for them to author blocks when they are chosen.
>> Of course in reality no one wants to keep their coin holding keys online
>> so in Alogorand you can authorize a set of "participation keys"[1] that
>> will be used to create blocks on your coin holding key's behalf.
>> Hopefully you've spotted the problem.
>> You can send your participation keys to any malicious party with a nice
>> website (see random example [2]) offering you a good return.
>> Damn it's still Proof-of-SquareSpace!
>> The minor advantage is that at least the participation keys expire after
>> a certain amount of time so eventually the SquareSpace attacker will lose
>> their hold on consensus.
>> Importantly there is also less junk on the blockchain because the
>> participation keys are delegated off-chain and so are not making as much of
>> a mess.
>>
>> ### Conclusion
>>
>> I don't see a way to get around the conflicting requirement that the keys
>> for large amounts of coins should be kept offline but those are exactly the
>> coins we need online to make the scheme secure.
>> If we allow delegation then we open up a new social attack surface and it
>> degenerates to Proof-of-SquareSpace.
>>
>> For a "digital gold" like system like Bitcoin we optimize for simplicity
>> and desperately want to avoid extraneous responsibilities for the holder of
>> the coin.
>> After all, gold is an inert element on the periodic table that doesn't
>> confer responsibilities on the holder to maintain the quality of all the
>> other bars of gold out there.
>> Bitcoin feels like this too and in many ways is more inert and
>> beautifully boring than gold.
>> For Bitcoin to succeed I think we need to keep it that way and
>> Proof-of-Stake makes everything a bit too exciting.
>>
>> I suppose in the end the market will decide what is real digital gold and
>> whether these bad technical trade offs are worth being able to say it uses
>> less electricity. It goes without saying that making bad technical
>> decisions to appease the current political climate is an anathema to
>> Bitcoin.
>>
>> Would be interested to know if you or others think differently on these
>> points.
>>
>> [1]:
>> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>> [2]: https://staking.staked.us/algorand-staking
>> [3]: https://eprint.iacr.org/2017/573.pdf
>> [4]:
>> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>> [5]:
>> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>
>> Cheers,
>>
>> LL
>>
>> On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> I think there is a lot of misinformation and bias against Proof of
>>> Stake. Yes there have been lots of shady coins that use insecure PoS
>>> mechanisms. Yes there have been massive issues with distribution of PoS
>>> coins (of course there have also been massive issues with PoW coins as
>>> well). However, I want to remind everyone that there is a difference
>>> between "proved to be impossible" and "have not achieved recognized success
>>> yet". Most of the arguments levied against PoS are out of date or rely on
>>> unproven assumptions or extrapolation from the analysis of a particular PoS
>>> system. I certainly don't think we should experiment with bitcoin by
>>> switching to PoS, but from my research, it seems very likely that there is
>>> a proof of stake consensus protocol we could build that has substantially
>>> higher security (cost / capital required to execute an attack) while at the
>>> same time costing far less resources (which do translate to fees on the
>>> network) *without* compromising any of the critical security properties
>>> bitcoin relies on. I think the critical piece of this is the disagreements
>>> around hardcoded checkpoints, which is a critical piece solving attacks
>>> that could be levied on a PoS chain, and how that does (or doesn't) affect
>>> the security model.
>>>
>>> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
>>> when a 51% attack happens. While I agree, I think that line of thinking
>>> omits important facts:
>>> * The capital required to 51% attack a PoS chain can be made
>>> substantially greater than on a PoS chain.
>>> * The capital the attacker stands to lose can be substantially greater
>>> as well if the attack is successful.
>>> * The effectiveness of paying miners to raise the honest fraction of
>>> miners above 50% may be quite bad.
>>> * Allowing a 51% attack is already unacceptable. It should be considered
>>> whether what happens in the case of a 51% may not be significantly
>>> different. The currency would likely be critically damaged in a 51% attack
>>> regardless of consensus mechanism.
>>>
>>> > Proof-of-stake tends towards oligopolistic control
>>>
>>> People repeat this often, but the facts support this. There is no
>>> centralization pressure in any proof of stake mechanism that I'm aware of.
>>> IE if you have 10 times as much coin that you use to mint blocks, you
>>> should expect to earn 10x as much minting revenue - not more than 10x. By
>>> contrast, proof of work does in fact have clear centralization pressure -
>>> this is not disputed. Our goal in relation to that is to ensure that the
>>> centralization pressure remains insignifiant. Proof of work also clearly
>>> has a lot more barriers to entry than any proof of stake system does. Both
>>> of these mean the tendency towards oligopolistic control is worse for PoW.
>>>
>>> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>>
>>> I certainly agree. Bitcoin's energy usage at the moment is I think quite
>>> warranted. However, the question is: can we do substantially better. I
>>> think if we can, we probably should... eventually.
>>>
>>> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
>>> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>>
>>> I see no mention of this in the pos.pdf
>>> <https://download.wpsoftware.net/bitcoin/pos.pdf> you linked to. I'm
>>> not aware of any proof that *all *PoS systems have a failure threshold
>>> of 1/3. I know that staking systems like Casper do in fact have that 1/3
>>> requirement. However there are PoS designs that should exceed that up to
>>> nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
>>> to the 1/2 threshold in the way you would think. IE, if 100% of miners are
>>> currently honest and have a collective 100 exahashes/s hashpower, an
>>> attacker does not need to obtain 100 exahashes/s, but actually only needs
>>> to accumulate 50 exahashes/s. This is because as the attacker accumulates
>>> hashpower, it drives honest miners out of the market as the difficulty
>>> increases to beyond what is economically sustainable. Also, its been shown
>>> that the best proof of work can do is require an attacker to obtain 33% of
>>> the hashpower because of the selfish mining attack
>>> <https://github.com/fresheneesz/quantificationOfConsensusProtocolSecurity#the-selfish-economic-attack> discussed
>>> in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both
>>> of these things reduce PoW's security by a factor of about 83% (1 -
>>> 50%*33%).
>>>
>>> > Proof of Stake requires other trade-offs which are incompatible with
>>> Bitcoin's objective (to be a trustless digital cash) — specifically the
>>> famous "security vs. liveness" guarantee
>>>
>>> Do you have a good source that talks about why you think proof of stake
>>> cannot be used for a trustless digital cash?
>>>
>>> > You cannot gain tokens without someone choosing to give up those coins
>>> - a form of permission.
>>>
>>> This is not a practical constraint. Just like in mining, some nodes may
>>> reject you, but there will likely be more that will accept you, some
>>> sellers may reject you, but most would accept your money as payment for
>>> bitcoins. I don't think requiring the "permission" of one of millions of
>>> people in the market can be reasonably considered a "permissioned
>>> currency".
>>>
>>> > 2. Proof of stake must have a trusted means of timestamping to
>>> regulate overproduction of blocks
>>>
>>> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed
>>> to double their clock speeds. Both systems rely on an honest majority
>>> sticking to standard time.
>>>
>>>
>>> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>>
>>>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org>
>>>> wrote:
>>>>
>>>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
>>>>> itself. PoS, VDFs, and so on are interesting but I guess there are other
>>>>> threads going on these topics already where they would be relevant.
>>>>>
>>>>> Also, it's important to distinguish between oPoW and these other
>>>>> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
>>>>> the core game theory or security assumptions of Hashcash and actually
>>>>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>>>
>>>>> Cheers,
>>>>> Mike
>>>>>
>>>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
>>>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>
>>>>>> 1. i never suggested vdf's to replace pow.
>>>>>>
>>>>>> 2. my suggestion was specifically *in the context of* a working
>>>>>> proof-of-burn protocol
>>>>>>
>>>>>> - vdfs used only for timing (not block height)
>>>>>> - blind-burned coins of a specific age used to replace proof of work
>>>>>> - the required "work" per block would simply be a competition to
>>>>>> acquire rewards, and so miners would have to burn coins, well in
>>>>>> advance, and hope that their burned coins got rewarded in some far
>>>>>> future
>>>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>>>> value gained from proof of work... without some of the security
>>>>>> drawbacks
>>>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>>>> losing their work in each block)
>>>>>> - new burns can't be used
>>>>>> - old burns age out (like ASICs do)
>>>>>> - other requirements on burns might be needed to properly mirror the
>>>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>>>
>>>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>>>> might be more secure in the long run, and that if the entire space
>>>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>>>> up, and a hard-fork could be initiated.
>>>>>>
>>>>>> 4. i would never suggest such a thing unless i believed it was
>>>>>> possible that consensus was possible. so no, this is not an "alt
>>>>>> coin"
>>>>>>
>>>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
>>>>>> wrote:
>>>>>> >
>>>>>> > Hi ZmnSCPxj,
>>>>>> >
>>>>>> > Please note that I am not suggesting VDFs as a means to save
>>>>>> energy, but solely as a means to make the time between blocks more constant.
>>>>>> >
>>>>>> > Zac
>>>>>> >
>>>>>> >
>>>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
>>>>>> wrote:
>>>>>> >>
>>>>>> >> Good morning Zac,
>>>>>> >>
>>>>>> >> > VDFs might enable more constant block times, for instance by
>>>>>> having a two-step PoW:
>>>>>> >> >
>>>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
>>>>>> subject to difficulty adjustments similar to the as-is). As per the
>>>>>> property of VDFs, miners are able show proof of work.
>>>>>> >> >
>>>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>>>>>> block takes 1 minute on average, again subject to as-is difficulty
>>>>>> adjustments.
>>>>>> >> >
>>>>>> >> > As a result, variation in block times will be greatly reduced.
>>>>>> >>
>>>>>> >> As I understand it, another weakness of VDFs is that they are not
>>>>>> inherently progress-free (their sequential nature prevents that; they are
>>>>>> inherently progress-requiring).
>>>>>> >>
>>>>>> >> Thus, a miner which focuses on improving the amount of energy that
>>>>>> it can pump into the VDF circuitry (by overclocking and freezing the
>>>>>> circuitry), could potentially get into a winner-takes-all situation,
>>>>>> possibly leading to even *worse* competition and even *more* energy
>>>>>> consumption.
>>>>>> >> After all, if you can start mining 0.1s faster than the
>>>>>> competition, that is a 0.1s advantage where *only you* can mine *in the
>>>>>> entire world*.
>>>>>> >>
>>>>>> >> Regards,
>>>>>> >> ZmnSCPxj
>>>>>> _______________________________________________
>>>>>> bitcoin-dev mailing list
>>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Michael Dubrovsky
>>>>> Founder; PoWx
>>>>> www.PoWx.org <http://www.powx.org/>
>>>>>
>>>>
>>>>
>>>> --
>>>> Michael Dubrovsky
>>>> Founder; PoWx
>>>> www.PoWx.org <http://www.powx.org/>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
[-- Attachment #2: Type: text/html, Size: 26794 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-23 3:41 ` Lloyd Fournier
2021-05-23 19:10 ` Billy Tetrud
@ 2021-05-24 13:47 ` Erik Aronesty
2021-05-24 20:43 ` Billy Tetrud
2021-06-15 11:13 ` James MacWhyte
2 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-24 13:47 UTC (permalink / raw)
To: Lloyd Fournier, Bitcoin Protocol Discussion; +Cc: SatoshiSingh, Billy Tetrud
> I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
proof of burn clearly solves this, since nothing is held online
> how does proof of burn solve the "nothing at stake" problem in your view?
definition of nothing at stake: in the event of a fork, whether the
fork is accidental or a malicious, the optimal strategy for any miner
is to mine on every chain, so that the miner gets their reward no
matter which fork wins. indeed in proof-of-stake, the proofs are
published on the very chains mines, so the incentive is magnified.
in proof-of-burn, your burn investment is always "at stake", any
redaction can result in a loss-of-burn, because burns can be tied,
precisely, to block-heights
as a result, miners no longer have an incentive to mine all chains
in this way proof of burn can be more secure than proof-of-stake, and
even more secure than proof of work
>
On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hi Billy,
>
> I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>
> Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> In PoS systems this clean separation of responsibilities does not exist.
>
> I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> But the devil is in the detail.
> Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>
> ### Proof of SquareSpace (Cardano, Polkdadot)
>
> Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
> In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>
> 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>
> 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>
> 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>
> There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> It also grows the size of the blockchain significantly.
>
> ### "Pure" proof of stake (Algorand)
>
> Algorand's[4] approach is to only allow online stake to participate in the protocol.
> Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
> Hopefully you've spotted the problem.
> You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
> Damn it's still Proof-of-SquareSpace!
> The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>
> ### Conclusion
>
> I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>
> For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>
> I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>
> Would be interested to know if you or others think differently on these points.
>
> [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
> [2]: https://staking.staked.us/algorand-staking
> [3]: https://eprint.iacr.org/2017/573.pdf
> [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
> [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>
> Cheers,
>
> LL
>
> On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>
>> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>
>> > Proof-of-stake tends towards oligopolistic control
>>
>> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>
>> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>
>> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>
>> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>
>> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>
>> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>
>> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>
>> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>
>> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>
>> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>
>> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>
>>
>> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>
>>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>>
>>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>>
>>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>>
>>>> Cheers,
>>>> Mike
>>>>
>>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>
>>>>> 1. i never suggested vdf's to replace pow.
>>>>>
>>>>> 2. my suggestion was specifically *in the context of* a working
>>>>> proof-of-burn protocol
>>>>>
>>>>> - vdfs used only for timing (not block height)
>>>>> - blind-burned coins of a specific age used to replace proof of work
>>>>> - the required "work" per block would simply be a competition to
>>>>> acquire rewards, and so miners would have to burn coins, well in
>>>>> advance, and hope that their burned coins got rewarded in some far
>>>>> future
>>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>>> value gained from proof of work... without some of the security
>>>>> drawbacks
>>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>>> losing their work in each block)
>>>>> - new burns can't be used
>>>>> - old burns age out (like ASICs do)
>>>>> - other requirements on burns might be needed to properly mirror the
>>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>>
>>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>>> might be more secure in the long run, and that if the entire space
>>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>>> up, and a hard-fork could be initiated.
>>>>>
>>>>> 4. i would never suggest such a thing unless i believed it was
>>>>> possible that consensus was possible. so no, this is not an "alt
>>>>> coin"
>>>>>
>>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>>> >
>>>>> > Hi ZmnSCPxj,
>>>>> >
>>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>>> >
>>>>> > Zac
>>>>> >
>>>>> >
>>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>>> >>
>>>>> >> Good morning Zac,
>>>>> >>
>>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>>> >> >
>>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>>> >> >
>>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>>> >> >
>>>>> >> > As a result, variation in block times will be greatly reduced.
>>>>> >>
>>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>>> >>
>>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>>> >>
>>>>> >> Regards,
>>>>> >> ZmnSCPxj
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>>>
>>>>
>>>> --
>>>> Michael Dubrovsky
>>>> Founder; PoWx
>>>> www.PoWx.org
>>>
>>>
>>>
>>> --
>>> Michael Dubrovsky
>>> Founder; PoWx
>>> www.PoWx.org
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-24 13:47 ` Erik Aronesty
@ 2021-05-24 20:43 ` Billy Tetrud
2021-05-24 21:49 ` Erik Aronesty
2021-05-25 8:22 ` befreeandopen
0 siblings, 2 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-05-24 20:43 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 20030 bytes --]
> proof of burn clearly solves this, since nothing is held online
Well.. the coins to be burned need to be online when they're burned. But
yes, only a small fraction of the total coins need to be online.
> your burn investment is always "at stake", any redaction can result in a
loss-of-burn, because burns can be tied, precisely, to block-heights
So you're saying that if say someone tries to mine a block on a shorter
chain, that requires them to send a transaction burning their coins, and
that transaction could also be spent on the longest chain, which means
their coins are burned even if the chain they tried to mine on doesn't win?
I'm fuzzy on how proof of burn works.
> proof of burn can be more secure than proof-of-stake
FYI, proof of stake can be done without the "nothing at stake" problem. You
can simply punish people who mint on shorter chains (by rewarding people
who publish proofs of this happening on the main chain). In quorum-based
PoS, you can punish people in the quorum that propose or sign multiple
blocks for the same height. The "nothing at stake" problem is a solved
problem at this point for PoS.
On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
>
> proof of burn clearly solves this, since nothing is held online
>
> > how does proof of burn solve the "nothing at stake" problem in your
> view?
>
> definition of nothing at stake: in the event of a fork, whether the
> fork is accidental or a malicious, the optimal strategy for any miner
> is to mine on every chain, so that the miner gets their reward no
> matter which fork wins. indeed in proof-of-stake, the proofs are
> published on the very chains mines, so the incentive is magnified.
>
> in proof-of-burn, your burn investment is always "at stake", any
> redaction can result in a loss-of-burn, because burns can be tied,
> precisely, to block-heights
>
> as a result, miners no longer have an incentive to mine all chains
>
> in this way proof of burn can be more secure than proof-of-stake, and
> even more secure than proof of work
>
>
>
>
>
>
>
> >
>
> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > Hi Billy,
> >
> > I was going to write a post which started by dismissing many of the weak
> arguments that are made against PoS made in this thread and elsewhere.
> > Although I don't agree with all your points you have done a decent job
> here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
> >
> > Proof of stake is not fit for purpose for a global settlement layer in a
> pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
> be.
> > PoS necessarily gives responsibilities to the holders of coins that they
> do not want and cannot handle.
> > In Bitcoin, large unsophisticated coin holders can put their coins in
> cold storage without a second thought given to the health of the underlying
> ledger.
> > As much as hardcore Bitcoiners try to convince them to run their own
> node, most don't, and that's perfectly acceptable.
> > At no point do their personal decisions affect the underlying consensus
> -- it only affects their personal security assurance (not that of the
> system itself).
> > In PoS systems this clean separation of responsibilities does not exist.
> >
> > I think that the more rigorously studied PoS protocols will work fine
> within the security claims made in their papers.
> > People who believe that these protocols are destined for catastrophic
> consensus failure are certainly in for a surprise.
> > But the devil is in the detail.
> > Let's look at what the implications of using the leading proof of stake
> protocols would have on Bitcoin:
> >
> > ### Proof of SquareSpace (Cardano, Polkdadot)
> >
> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
> inbuilt on-chain delegation system[5].
> > In these protocols, coin holders who do not want to run their node with
> their hot keys in it delegate it to a "Stake Pool".
> > I call the resulting system Proof-of-SquareSpace since most will choose
> a pool by looking around for one with a nice website and offering the
> largest share of the block reward.
> > On the surface this might sound no different than someone with an mining
> rig shopping around for a good mining pool but there are crucial
> differences:
> >
> > 1. The person making the decision is forced into it just because they
> own the currency -- someone with a mining rig has purchased it with the
> intent to make profit by participating in consensus.
> >
> > 2. When you join a mining pool your systems are very much still online.
> You are just partaking in a pool to reduce your profit variance. You still
> see every block that you help create and *you never help create a block
> without seeing it first*.
> >
> > 3. If by SquareSpace sybil attack you gain a dishonest majority and
> start censoring transactions how are the users meant to redelegate their
> stake to honest pools?
> > I guess they can just send a transaction delegating to another pool...oh
> wait I guess that might be censored too! This seems really really bad.
> > In Bitcoin, miners can just join a different pool at a whim. There is
> nothing the attacker can do to stop them. A temporary dishonest majority
> heals relatively well.
> >
> > There is another severe disadvantage to this on-chain delegation system:
> every UTXO must indicate which staking account this UTXO belongs to so the
> appropriate share of block rewards can be transferred there.
> > Being able to associate every UTXO to an account ruins one of the main
> privacy advantages of the UTXO model.
> > It also grows the size of the blockchain significantly.
> >
> > ### "Pure" proof of stake (Algorand)
> >
> > Algorand's[4] approach is to only allow online stake to participate in
> the protocol.
> > Theoretically, This means that keys holding funds have to be online in
> order for them to author blocks when they are chosen.
> > Of course in reality no one wants to keep their coin holding keys online
> so in Alogorand you can authorize a set of "participation keys"[1] that
> will be used to create blocks on your coin holding key's behalf.
> > Hopefully you've spotted the problem.
> > You can send your participation keys to any malicious party with a nice
> website (see random example [2]) offering you a good return.
> > Damn it's still Proof-of-SquareSpace!
> > The minor advantage is that at least the participation keys expire after
> a certain amount of time so eventually the SquareSpace attacker will lose
> their hold on consensus.
> > Importantly there is also less junk on the blockchain because the
> participation keys are delegated off-chain and so are not making as much of
> a mess.
> >
> > ### Conclusion
> >
> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
> > If we allow delegation then we open up a new social attack surface and
> it degenerates to Proof-of-SquareSpace.
> >
> > For a "digital gold" like system like Bitcoin we optimize for simplicity
> and desperately want to avoid extraneous responsibilities for the holder of
> the coin.
> > After all, gold is an inert element on the periodic table that doesn't
> confer responsibilities on the holder to maintain the quality of all the
> other bars of gold out there.
> > Bitcoin feels like this too and in many ways is more inert and
> beautifully boring than gold.
> > For Bitcoin to succeed I think we need to keep it that way and
> Proof-of-Stake makes everything a bit too exciting.
> >
> > I suppose in the end the market will decide what is real digital gold
> and whether these bad technical trade offs are worth being able to say it
> uses less electricity. It goes without saying that making bad technical
> decisions to appease the current political climate is an anathema to
> Bitcoin.
> >
> > Would be interested to know if you or others think differently on these
> points.
> >
> > [1]:
> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
> > [2]: https://staking.staked.us/algorand-staking
> > [3]: https://eprint.iacr.org/2017/573.pdf
> > [4]:
> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
> > [5]:
> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
> >
> > Cheers,
> >
> > LL
> >
> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >> I think there is a lot of misinformation and bias against Proof of
> Stake. Yes there have been lots of shady coins that use insecure PoS
> mechanisms. Yes there have been massive issues with distribution of PoS
> coins (of course there have also been massive issues with PoW coins as
> well). However, I want to remind everyone that there is a difference
> between "proved to be impossible" and "have not achieved recognized success
> yet". Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
> >>
> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> >> * The capital required to 51% attack a PoS chain can be made
> substantially greater than on a PoS chain.
> >> * The capital the attacker stands to lose can be substantially greater
> as well if the attack is successful.
> >> * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> >> * Allowing a 51% attack is already unacceptable. It should be
> considered whether what happens in the case of a 51% may not be
> significantly different. The currency would likely be critically damaged in
> a 51% attack regardless of consensus mechanism.
> >>
> >> > Proof-of-stake tends towards oligopolistic control
> >>
> >> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
> >>
> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> >>
> >> I certainly agree. Bitcoin's energy usage at the moment is I think
> quite warranted. However, the question is: can we do substantially better.
> I think if we can, we probably should... eventually.
> >>
> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> >>
> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of
> any proof that all PoS systems have a failure threshold of 1/3. I know that
> staking systems like Casper do in fact have that 1/3 requirement. However
> there are PoS designs that should exceed that up to nearly 50% as far as
> I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold
> in the way you would think. IE, if 100% of miners are currently honest and
> have a collective 100 exahashes/s hashpower, an attacker does not need to
> obtain 100 exahashes/s, but actually only needs to accumulate 50
> exahashes/s. This is because as the attacker accumulates hashpower, it
> drives honest miners out of the market as the difficulty increases to
> beyond what is economically sustainable. Also, its been shown that the best
> proof of work can do is require an attacker to obtain 33% of the hashpower
> because of the selfish mining attack discussed in depth in this paper:
> https://arxiv.org/abs/1311.0243. Together, both of these things reduce
> PoW's security by a factor of about 83% (1 - 50%*33%).
> >>
> >> > Proof of Stake requires other trade-offs which are incompatible with
> Bitcoin's objective (to be a trustless digital cash) — specifically the
> famous "security vs. liveness" guarantee
> >>
> >> Do you have a good source that talks about why you think proof of stake
> cannot be used for a trustless digital cash?
> >>
> >> > You cannot gain tokens without someone choosing to give up those
> coins - a form of permission.
> >>
> >> This is not a practical constraint. Just like in mining, some nodes may
> reject you, but there will likely be more that will accept you, some
> sellers may reject you, but most would accept your money as payment for
> bitcoins. I don't think requiring the "permission" of one of millions of
> people in the market can be reasonably considered a "permissioned currency".
> >>
> >> > 2. Proof of stake must have a trusted means of timestamping to
> regulate overproduction of blocks
> >>
> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone
> agreed to double their clock speeds. Both systems rely on an honest
> majority sticking to standard time.
> >>
> >>
> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>>
> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
> >>>
> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org>
> wrote:
> >>>>
> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
> itself. PoS, VDFs, and so on are interesting but I guess there are other
> threads going on these topics already where they would be relevant.
> >>>>
> >>>> Also, it's important to distinguish between oPoW and these other
> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
> the core game theory or security assumptions of Hashcash and actually
> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> >>>>
> >>>> Cheers,
> >>>> Mike
> >>>>
> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>>>>
> >>>>> 1. i never suggested vdf's to replace pow.
> >>>>>
> >>>>> 2. my suggestion was specifically *in the context of* a working
> >>>>> proof-of-burn protocol
> >>>>>
> >>>>> - vdfs used only for timing (not block height)
> >>>>> - blind-burned coins of a specific age used to replace proof of work
> >>>>> - the required "work" per block would simply be a competition to
> >>>>> acquire rewards, and so miners would have to burn coins, well in
> >>>>> advance, and hope that their burned coins got rewarded in some far
> >>>>> future
> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
> >>>>> value gained from proof of work... without some of the security
> >>>>> drawbacks
> >>>>> - the miner risks losing all of his burned coins (like all miners
> risk
> >>>>> losing their work in each block)
> >>>>> - new burns can't be used
> >>>>> - old burns age out (like ASICs do)
> >>>>> - other requirements on burns might be needed to properly mirror the
> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
> >>>>>
> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
> >>>>> might be more secure in the long run, and that if the entire space
> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
> >>>>> up, and a hard-fork could be initiated.
> >>>>>
> >>>>> 4. i would never suggest such a thing unless i believed it was
> >>>>> possible that consensus was possible. so no, this is not an "alt
> >>>>> coin"
> >>>>>
> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
> wrote:
> >>>>> >
> >>>>> > Hi ZmnSCPxj,
> >>>>> >
> >>>>> > Please note that I am not suggesting VDFs as a means to save
> energy, but solely as a means to make the time between blocks more constant.
> >>>>> >
> >>>>> > Zac
> >>>>> >
> >>>>> >
> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
> wrote:
> >>>>> >>
> >>>>> >> Good morning Zac,
> >>>>> >>
> >>>>> >> > VDFs might enable more constant block times, for instance by
> having a two-step PoW:
> >>>>> >> >
> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
> subject to difficulty adjustments similar to the as-is). As per the
> property of VDFs, miners are able show proof of work.
> >>>>> >> >
> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
> block takes 1 minute on average, again subject to as-is difficulty
> adjustments.
> >>>>> >> >
> >>>>> >> > As a result, variation in block times will be greatly reduced.
> >>>>> >>
> >>>>> >> As I understand it, another weakness of VDFs is that they are not
> inherently progress-free (their sequential nature prevents that; they are
> inherently progress-requiring).
> >>>>> >>
> >>>>> >> Thus, a miner which focuses on improving the amount of energy
> that it can pump into the VDF circuitry (by overclocking and freezing the
> circuitry), could potentially get into a winner-takes-all situation,
> possibly leading to even *worse* competition and even *more* energy
> consumption.
> >>>>> >> After all, if you can start mining 0.1s faster than the
> competition, that is a 0.1s advantage where *only you* can mine *in the
> entire world*.
> >>>>> >>
> >>>>> >> Regards,
> >>>>> >> ZmnSCPxj
> >>>>> _______________________________________________
> >>>>> bitcoin-dev mailing list
> >>>>> bitcoin-dev@lists.linuxfoundation.org
> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Michael Dubrovsky
> >>>> Founder; PoWx
> >>>> www.PoWx.org
> >>>
> >>>
> >>>
> >>> --
> >>> Michael Dubrovsky
> >>> Founder; PoWx
> >>> www.PoWx.org
> >>> _______________________________________________
> >>> bitcoin-dev mailing list
> >>> bitcoin-dev@lists.linuxfoundation.org
> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >>
> >> _______________________________________________
> >> bitcoin-dev mailing list
> >> bitcoin-dev@lists.linuxfoundation.org
> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 24755 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-24 20:43 ` Billy Tetrud
@ 2021-05-24 21:49 ` Erik Aronesty
2021-05-25 1:52 ` Billy Tetrud
2021-05-25 8:22 ` befreeandopen
1 sibling, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-24 21:49 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
> > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> I'm fuzzy on how proof of burn works.
when you burn coins, you burn them to be used at a future particular
block height: so if i'm burning for block 553, i can only use them to
mine block 553. if i have a choice between two chains, one longer
and one shorter, i can only choose one... deterministically, for that
burn: the chain with the height 553. if we fix the "lead time" for
burned coins to be weeks or even months in advance, miners have a very
strong, long-term, investment in the stability of the chain.
therefore there is no "nothing at stake" problem. it's
deterministic, so miners have no choice. they can *only* choose the
transactions that go into the block. they cannot choose which chain
to mine, and it's time-locked, so rollbacks and instability always
hurt miners the most.
the "punishment" systems of PoS are "weird at best", certainly
unproven. i can imagine scenarios where large stakeholders can
collude to punish smaller stakeholders simply to drive them out of
business, for example. and then you have to put checks in place to
prevent that, and more checks for those prevention system...
in PoB, there is no complexity. simpler systems like this are
typically more secure.
PoB also solves problems caused by "energy dependence", which could
lead to state monopolies on mining (like the new Bitcoin Mining
Council). these consortiums, if state sanctioned, could become a
source of censorship, for example. Since PoB doesn't require you to
have a live, well-connected node, it's harder to censor & harder to
trace.
Eliminating this weakness seems to be in the best interests of
existing stakeholders
On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>
> > proof of burn clearly solves this, since nothing is held online
>
> Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>
> > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>
> So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>
> > proof of burn can be more secure than proof-of-stake
>
> FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>
>
>
> On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>
>> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>
>> proof of burn clearly solves this, since nothing is held online
>>
>> > how does proof of burn solve the "nothing at stake" problem in your view?
>>
>> definition of nothing at stake: in the event of a fork, whether the
>> fork is accidental or a malicious, the optimal strategy for any miner
>> is to mine on every chain, so that the miner gets their reward no
>> matter which fork wins. indeed in proof-of-stake, the proofs are
>> published on the very chains mines, so the incentive is magnified.
>>
>> in proof-of-burn, your burn investment is always "at stake", any
>> redaction can result in a loss-of-burn, because burns can be tied,
>> precisely, to block-heights
>>
>> as a result, miners no longer have an incentive to mine all chains
>>
>> in this way proof of burn can be more secure than proof-of-stake, and
>> even more secure than proof of work
>>
>>
>>
>>
>>
>>
>>
>> >
>>
>> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >
>> > Hi Billy,
>> >
>> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>> >
>> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>> > In PoS systems this clean separation of responsibilities does not exist.
>> >
>> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>> > But the devil is in the detail.
>> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>> >
>> > ### Proof of SquareSpace (Cardano, Polkdadot)
>> >
>> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>> >
>> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>> >
>> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>> >
>> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>> >
>> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>> > It also grows the size of the blockchain significantly.
>> >
>> > ### "Pure" proof of stake (Algorand)
>> >
>> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>> > Hopefully you've spotted the problem.
>> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>> > Damn it's still Proof-of-SquareSpace!
>> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>> >
>> > ### Conclusion
>> >
>> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>> >
>> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>> >
>> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>> >
>> > Would be interested to know if you or others think differently on these points.
>> >
>> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>> > [2]: https://staking.staked.us/algorand-staking
>> > [3]: https://eprint.iacr.org/2017/573.pdf
>> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>> >
>> > Cheers,
>> >
>> > LL
>> >
>> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >>
>> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>> >>
>> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>> >>
>> >> > Proof-of-stake tends towards oligopolistic control
>> >>
>> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>> >>
>> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>> >>
>> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>> >>
>> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>> >>
>> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>> >>
>> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>> >>
>> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>> >>
>> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>> >>
>> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>> >>
>> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>> >>
>> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>> >>
>> >>
>> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >>>
>> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>> >>>
>> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>> >>>>
>> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>> >>>>
>> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>> >>>>
>> >>>> Cheers,
>> >>>> Mike
>> >>>>
>> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >>>>>
>> >>>>> 1. i never suggested vdf's to replace pow.
>> >>>>>
>> >>>>> 2. my suggestion was specifically *in the context of* a working
>> >>>>> proof-of-burn protocol
>> >>>>>
>> >>>>> - vdfs used only for timing (not block height)
>> >>>>> - blind-burned coins of a specific age used to replace proof of work
>> >>>>> - the required "work" per block would simply be a competition to
>> >>>>> acquire rewards, and so miners would have to burn coins, well in
>> >>>>> advance, and hope that their burned coins got rewarded in some far
>> >>>>> future
>> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>> >>>>> value gained from proof of work... without some of the security
>> >>>>> drawbacks
>> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>> >>>>> losing their work in each block)
>> >>>>> - new burns can't be used
>> >>>>> - old burns age out (like ASICs do)
>> >>>>> - other requirements on burns might be needed to properly mirror the
>> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>> >>>>>
>> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>> >>>>> might be more secure in the long run, and that if the entire space
>> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>> >>>>> up, and a hard-fork could be initiated.
>> >>>>>
>> >>>>> 4. i would never suggest such a thing unless i believed it was
>> >>>>> possible that consensus was possible. so no, this is not an "alt
>> >>>>> coin"
>> >>>>>
>> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>> >>>>> >
>> >>>>> > Hi ZmnSCPxj,
>> >>>>> >
>> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>> >>>>> >
>> >>>>> > Zac
>> >>>>> >
>> >>>>> >
>> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>> >>>>> >>
>> >>>>> >> Good morning Zac,
>> >>>>> >>
>> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>> >>>>> >> >
>> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>> >>>>> >> >
>> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>> >>>>> >> >
>> >>>>> >> > As a result, variation in block times will be greatly reduced.
>> >>>>> >>
>> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>> >>>>> >>
>> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>> >>>>> >>
>> >>>>> >> Regards,
>> >>>>> >> ZmnSCPxj
>> >>>>> _______________________________________________
>> >>>>> bitcoin-dev mailing list
>> >>>>> bitcoin-dev@lists.linuxfoundation.org
>> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Michael Dubrovsky
>> >>>> Founder; PoWx
>> >>>> www.PoWx.org
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Michael Dubrovsky
>> >>> Founder; PoWx
>> >>> www.PoWx.org
>> >>> _______________________________________________
>> >>> bitcoin-dev mailing list
>> >>> bitcoin-dev@lists.linuxfoundation.org
>> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >>
>> >> _______________________________________________
>> >> bitcoin-dev mailing list
>> >> bitcoin-dev@lists.linuxfoundation.org
>> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >
>> > _______________________________________________
>> > bitcoin-dev mailing list
>> > bitcoin-dev@lists.linuxfoundation.org
>> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-24 21:49 ` Erik Aronesty
@ 2021-05-25 1:52 ` Billy Tetrud
2021-05-25 13:00 ` Erik Aronesty
0 siblings, 1 reply; 67+ messages in thread
From: Billy Tetrud @ 2021-05-25 1:52 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 23998 bytes --]
Is this <https://en.bitcoin.it/wiki/Proof_of_burn> the kind of proof of
burn you're talking about?
> if i have a choice between two chains, one longer and one shorter, i
can only choose one... deterministically
What prevents you from attempting to mine block 553 on both chains?
> miners have a very strong, long-term, investment in the stability of the
chain.
Yes, but the same can be said of any coin, even ones that do have the
nothing at stake problem. This isn't sufficient tho because the chain is a
common good, and the tragedy of the commons holds for it.
> you burn them to be used at a future particular block height
This sounds exploitable. It seems like an attacker could simply focus all
their burns on a particular set of 6 blocks to double spend, minimizing
their cost of attack.
> i can imagine scenarios where large stakeholders can collude to punish
smaller stakeholders simply to drive them out of business, for example
Are you talking about a 51% attack? This is possible in any decentralized
cryptocurrency.
On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
> > > your burn investment is always "at stake", any redaction can result in
> a loss-of-burn, because burns can be tied, precisely, to block-heights
> > I'm fuzzy on how proof of burn works.
>
> when you burn coins, you burn them to be used at a future particular
> block height: so if i'm burning for block 553, i can only use them to
> mine block 553. if i have a choice between two chains, one longer
> and one shorter, i can only choose one... deterministically, for that
> burn: the chain with the height 553. if we fix the "lead time" for
> burned coins to be weeks or even months in advance, miners have a very
> strong, long-term, investment in the stability of the chain.
>
> therefore there is no "nothing at stake" problem. it's
> deterministic, so miners have no choice. they can *only* choose the
> transactions that go into the block. they cannot choose which chain
> to mine, and it's time-locked, so rollbacks and instability always
> hurt miners the most.
>
> the "punishment" systems of PoS are "weird at best", certainly
> unproven. i can imagine scenarios where large stakeholders can
> collude to punish smaller stakeholders simply to drive them out of
> business, for example. and then you have to put checks in place to
> prevent that, and more checks for those prevention system...
>
> in PoB, there is no complexity. simpler systems like this are
> typically more secure.
>
> PoB also solves problems caused by "energy dependence", which could
> lead to state monopolies on mining (like the new Bitcoin Mining
> Council). these consortiums, if state sanctioned, could become a
> source of censorship, for example. Since PoB doesn't require you to
> have a live, well-connected node, it's harder to censor & harder to
> trace.
>
> Eliminating this weakness seems to be in the best interests of
> existing stakeholders
>
>
>
>
> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com>
> wrote:
> >
> > > proof of burn clearly solves this, since nothing is held online
> >
> > Well.. the coins to be burned need to be online when they're burned. But
> yes, only a small fraction of the total coins need to be online.
> >
> > > your burn investment is always "at stake", any redaction can result in
> a loss-of-burn, because burns can be tied, precisely, to block-heights
> >
> > So you're saying that if say someone tries to mine a block on a shorter
> chain, that requires them to send a transaction burning their coins, and
> that transaction could also be spent on the longest chain, which means
> their coins are burned even if the chain they tried to mine on doesn't win?
> I'm fuzzy on how proof of burn works.
> >
> > > proof of burn can be more secure than proof-of-stake
> >
> > FYI, proof of stake can be done without the "nothing at stake" problem.
> You can simply punish people who mint on shorter chains (by rewarding
> people who publish proofs of this happening on the main chain). In
> quorum-based PoS, you can punish people in the quorum that propose or sign
> multiple blocks for the same height. The "nothing at stake" problem is a
> solved problem at this point for PoS.
> >
> >
> >
> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
> >>
> >> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
> >>
> >> proof of burn clearly solves this, since nothing is held online
> >>
> >> > how does proof of burn solve the "nothing at stake" problem in your
> view?
> >>
> >> definition of nothing at stake: in the event of a fork, whether the
> >> fork is accidental or a malicious, the optimal strategy for any miner
> >> is to mine on every chain, so that the miner gets their reward no
> >> matter which fork wins. indeed in proof-of-stake, the proofs are
> >> published on the very chains mines, so the incentive is magnified.
> >>
> >> in proof-of-burn, your burn investment is always "at stake", any
> >> redaction can result in a loss-of-burn, because burns can be tied,
> >> precisely, to block-heights
> >>
> >> as a result, miners no longer have an incentive to mine all chains
> >>
> >> in this way proof of burn can be more secure than proof-of-stake, and
> >> even more secure than proof of work
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> >
> >>
> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >
> >> > Hi Billy,
> >> >
> >> > I was going to write a post which started by dismissing many of the
> weak arguments that are made against PoS made in this thread and elsewhere.
> >> > Although I don't agree with all your points you have done a decent
> job here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
> >> >
> >> > Proof of stake is not fit for purpose for a global settlement layer
> in a pure digital asset (i.e. "digital gold") which is what Bitcoin is
> trying to be.
> >> > PoS necessarily gives responsibilities to the holders of coins that
> they do not want and cannot handle.
> >> > In Bitcoin, large unsophisticated coin holders can put their coins in
> cold storage without a second thought given to the health of the underlying
> ledger.
> >> > As much as hardcore Bitcoiners try to convince them to run their own
> node, most don't, and that's perfectly acceptable.
> >> > At no point do their personal decisions affect the underlying
> consensus -- it only affects their personal security assurance (not that of
> the system itself).
> >> > In PoS systems this clean separation of responsibilities does not
> exist.
> >> >
> >> > I think that the more rigorously studied PoS protocols will work fine
> within the security claims made in their papers.
> >> > People who believe that these protocols are destined for catastrophic
> consensus failure are certainly in for a surprise.
> >> > But the devil is in the detail.
> >> > Let's look at what the implications of using the leading proof of
> stake protocols would have on Bitcoin:
> >> >
> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
> >> >
> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
> inbuilt on-chain delegation system[5].
> >> > In these protocols, coin holders who do not want to run their node
> with their hot keys in it delegate it to a "Stake Pool".
> >> > I call the resulting system Proof-of-SquareSpace since most will
> choose a pool by looking around for one with a nice website and offering
> the largest share of the block reward.
> >> > On the surface this might sound no different than someone with an
> mining rig shopping around for a good mining pool but there are crucial
> differences:
> >> >
> >> > 1. The person making the decision is forced into it just because they
> own the currency -- someone with a mining rig has purchased it with the
> intent to make profit by participating in consensus.
> >> >
> >> > 2. When you join a mining pool your systems are very much still
> online. You are just partaking in a pool to reduce your profit variance.
> You still see every block that you help create and *you never help create a
> block without seeing it first*.
> >> >
> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and
> start censoring transactions how are the users meant to redelegate their
> stake to honest pools?
> >> > I guess they can just send a transaction delegating to another
> pool...oh wait I guess that might be censored too! This seems really really
> bad.
> >> > In Bitcoin, miners can just join a different pool at a whim. There is
> nothing the attacker can do to stop them. A temporary dishonest majority
> heals relatively well.
> >> >
> >> > There is another severe disadvantage to this on-chain delegation
> system: every UTXO must indicate which staking account this UTXO belongs to
> so the appropriate share of block rewards can be transferred there.
> >> > Being able to associate every UTXO to an account ruins one of the
> main privacy advantages of the UTXO model.
> >> > It also grows the size of the blockchain significantly.
> >> >
> >> > ### "Pure" proof of stake (Algorand)
> >> >
> >> > Algorand's[4] approach is to only allow online stake to participate
> in the protocol.
> >> > Theoretically, This means that keys holding funds have to be online
> in order for them to author blocks when they are chosen.
> >> > Of course in reality no one wants to keep their coin holding keys
> online so in Alogorand you can authorize a set of "participation keys"[1]
> that will be used to create blocks on your coin holding key's behalf.
> >> > Hopefully you've spotted the problem.
> >> > You can send your participation keys to any malicious party with a
> nice website (see random example [2]) offering you a good return.
> >> > Damn it's still Proof-of-SquareSpace!
> >> > The minor advantage is that at least the participation keys expire
> after a certain amount of time so eventually the SquareSpace attacker will
> lose their hold on consensus.
> >> > Importantly there is also less junk on the blockchain because the
> participation keys are delegated off-chain and so are not making as much of
> a mess.
> >> >
> >> > ### Conclusion
> >> >
> >> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
> >> > If we allow delegation then we open up a new social attack surface
> and it degenerates to Proof-of-SquareSpace.
> >> >
> >> > For a "digital gold" like system like Bitcoin we optimize for
> simplicity and desperately want to avoid extraneous responsibilities for
> the holder of the coin.
> >> > After all, gold is an inert element on the periodic table that
> doesn't confer responsibilities on the holder to maintain the quality of
> all the other bars of gold out there.
> >> > Bitcoin feels like this too and in many ways is more inert and
> beautifully boring than gold.
> >> > For Bitcoin to succeed I think we need to keep it that way and
> Proof-of-Stake makes everything a bit too exciting.
> >> >
> >> > I suppose in the end the market will decide what is real digital gold
> and whether these bad technical trade offs are worth being able to say it
> uses less electricity. It goes without saying that making bad technical
> decisions to appease the current political climate is an anathema to
> Bitcoin.
> >> >
> >> > Would be interested to know if you or others think differently on
> these points.
> >> >
> >> > [1]:
> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
> >> > [2]: https://staking.staked.us/algorand-staking
> >> > [3]: https://eprint.iacr.org/2017/573.pdf
> >> > [4]:
> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
> >> > [5]:
> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
> >> >
> >> > Cheers,
> >> >
> >> > LL
> >> >
> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >> I think there is a lot of misinformation and bias against Proof of
> Stake. Yes there have been lots of shady coins that use insecure PoS
> mechanisms. Yes there have been massive issues with distribution of PoS
> coins (of course there have also been massive issues with PoW coins as
> well). However, I want to remind everyone that there is a difference
> between "proved to be impossible" and "have not achieved recognized success
> yet". Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
> >> >>
> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is
> worse when a 51% attack happens. While I agree, I think that line of
> thinking omits important facts:
> >> >> * The capital required to 51% attack a PoS chain can be made
> substantially greater than on a PoS chain.
> >> >> * The capital the attacker stands to lose can be substantially
> greater as well if the attack is successful.
> >> >> * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> >> >> * Allowing a 51% attack is already unacceptable. It should be
> considered whether what happens in the case of a 51% may not be
> significantly different. The currency would likely be critically damaged in
> a 51% attack regardless of consensus mechanism.
> >> >>
> >> >> > Proof-of-stake tends towards oligopolistic control
> >> >>
> >> >> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
> >> >>
> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> >> >>
> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think
> quite warranted. However, the question is: can we do substantially better.
> I think if we can, we probably should... eventually.
> >> >>
> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating
> a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> >> >>
> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware
> of any proof that all PoS systems have a failure threshold of 1/3. I know
> that staking systems like Casper do in fact have that 1/3 requirement.
> However there are PoS designs that should exceed that up to nearly 50% as
> far as I'm aware. Proof of work is not in fact resilient up to the 1/2
> threshold in the way you would think. IE, if 100% of miners are currently
> honest and have a collective 100 exahashes/s hashpower, an attacker does
> not need to obtain 100 exahashes/s, but actually only needs to accumulate
> 50 exahashes/s. This is because as the attacker accumulates hashpower, it
> drives honest miners out of the market as the difficulty increases to
> beyond what is economically sustainable. Also, its been shown that the best
> proof of work can do is require an attacker to obtain 33% of the hashpower
> because of the selfish mining attack discussed in depth in this paper:
> https://arxiv.org/abs/1311.0243. Together, both of these things reduce
> PoW's security by a factor of about 83% (1 - 50%*33%).
> >> >>
> >> >> > Proof of Stake requires other trade-offs which are incompatible
> with Bitcoin's objective (to be a trustless digital cash) — specifically
> the famous "security vs. liveness" guarantee
> >> >>
> >> >> Do you have a good source that talks about why you think proof of
> stake cannot be used for a trustless digital cash?
> >> >>
> >> >> > You cannot gain tokens without someone choosing to give up those
> coins - a form of permission.
> >> >>
> >> >> This is not a practical constraint. Just like in mining, some nodes
> may reject you, but there will likely be more that will accept you, some
> sellers may reject you, but most would accept your money as payment for
> bitcoins. I don't think requiring the "permission" of one of millions of
> people in the market can be reasonably considered a "permissioned currency".
> >> >>
> >> >> > 2. Proof of stake must have a trusted means of timestamping to
> regulate overproduction of blocks
> >> >>
> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone
> agreed to double their clock speeds. Both systems rely on an honest
> majority sticking to standard time.
> >> >>
> >> >>
> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>>
> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
> >> >>>
> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org>
> wrote:
> >> >>>>
> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP
> itself. PoS, VDFs, and so on are interesting but I guess there are other
> threads going on these topics already where they would be relevant.
> >> >>>>
> >> >>>> Also, it's important to distinguish between oPoW and these other
> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
> the core game theory or security assumptions of Hashcash and actually
> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> >> >>>>
> >> >>>> Cheers,
> >> >>>> Mike
> >> >>>>
> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>>>>
> >> >>>>> 1. i never suggested vdf's to replace pow.
> >> >>>>>
> >> >>>>> 2. my suggestion was specifically *in the context of* a working
> >> >>>>> proof-of-burn protocol
> >> >>>>>
> >> >>>>> - vdfs used only for timing (not block height)
> >> >>>>> - blind-burned coins of a specific age used to replace proof of
> work
> >> >>>>> - the required "work" per block would simply be a competition to
> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
> >> >>>>> advance, and hope that their burned coins got rewarded in some far
> >> >>>>> future
> >> >>>>> - the point of burned coins is to mimic, in every meaningful way,
> the
> >> >>>>> value gained from proof of work... without some of the security
> >> >>>>> drawbacks
> >> >>>>> - the miner risks losing all of his burned coins (like all miners
> risk
> >> >>>>> losing their work in each block)
> >> >>>>> - new burns can't be used
> >> >>>>> - old burns age out (like ASICs do)
> >> >>>>> - other requirements on burns might be needed to properly mirror
> the
> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine
> honestly.
> >> >>>>>
> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
> >> >>>>> might be more secure in the long run, and that if the entire space
> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be
> spun
> >> >>>>> up, and a hard-fork could be initiated.
> >> >>>>>
> >> >>>>> 4. i would never suggest such a thing unless i believed it was
> >> >>>>> possible that consensus was possible. so no, this is not an "alt
> >> >>>>> coin"
> >> >>>>>
> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com>
> wrote:
> >> >>>>> >
> >> >>>>> > Hi ZmnSCPxj,
> >> >>>>> >
> >> >>>>> > Please note that I am not suggesting VDFs as a means to save
> energy, but solely as a means to make the time between blocks more constant.
> >> >>>>> >
> >> >>>>> > Zac
> >> >>>>> >
> >> >>>>> >
> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com>
> wrote:
> >> >>>>> >>
> >> >>>>> >> Good morning Zac,
> >> >>>>> >>
> >> >>>>> >> > VDFs might enable more constant block times, for instance by
> having a two-step PoW:
> >> >>>>> >> >
> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being
> subject to difficulty adjustments similar to the as-is). As per the
> property of VDFs, miners are able show proof of work.
> >> >>>>> >> >
> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so
> finding a block takes 1 minute on average, again subject to as-is
> difficulty adjustments.
> >> >>>>> >> >
> >> >>>>> >> > As a result, variation in block times will be greatly
> reduced.
> >> >>>>> >>
> >> >>>>> >> As I understand it, another weakness of VDFs is that they are
> not inherently progress-free (their sequential nature prevents that; they
> are inherently progress-requiring).
> >> >>>>> >>
> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy
> that it can pump into the VDF circuitry (by overclocking and freezing the
> circuitry), could potentially get into a winner-takes-all situation,
> possibly leading to even *worse* competition and even *more* energy
> consumption.
> >> >>>>> >> After all, if you can start mining 0.1s faster than the
> competition, that is a 0.1s advantage where *only you* can mine *in the
> entire world*.
> >> >>>>> >>
> >> >>>>> >> Regards,
> >> >>>>> >> ZmnSCPxj
> >> >>>>> _______________________________________________
> >> >>>>> bitcoin-dev mailing list
> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> --
> >> >>>> Michael Dubrovsky
> >> >>>> Founder; PoWx
> >> >>>> www.PoWx.org
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Michael Dubrovsky
> >> >>> Founder; PoWx
> >> >>> www.PoWx.org
> >> >>> _______________________________________________
> >> >>> bitcoin-dev mailing list
> >> >>> bitcoin-dev@lists.linuxfoundation.org
> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> >>
> >> >> _______________________________________________
> >> >> bitcoin-dev mailing list
> >> >> bitcoin-dev@lists.linuxfoundation.org
> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> >
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 30614 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-24 20:43 ` Billy Tetrud
2021-05-24 21:49 ` Erik Aronesty
@ 2021-05-25 8:22 ` befreeandopen
1 sibling, 0 replies; 67+ messages in thread
From: befreeandopen @ 2021-05-25 8:22 UTC (permalink / raw)
To: Billy Tetrud, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 23401 bytes --]
> FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
This misleading statement. Nothing at stake problem is just about as solved for PoS as scaling. Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely.
In case of punishment, it is the latter case - it does not solve nothing at stake problem, it only reduces some instances of it, but the core problem persists. It does because the minter (the one who stakes) is not forced to publish his block and can stake selfishly. This matters because such an attacker can stake selfishly on any prior history of the chain. Imagine there is a new block coming from what is called main chain. An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp. Usually she can perform this calculation for not just one block ahead, but two, three ... So she knows the time schedule for the chain she can built on the top. But not only she can do that on the top of the main chain, but on the top of the second block from the top on the main chain. Should she find that building on shorter chain gives her more blocks in the nearest future, she will avoid to prolong the longest chain - and this is where she avoids the punishment - and instead she creates two or more blocks on a historic block and thus she successfully executes nothing at stake attack.
This shows that while the punishment requires the attack to be slightly modified, and this modification does slightly lower the expected profit of it, it is still a viable attack that is profitable and is not at all prevented by punishment logic. On the downside of punishment logic you have the complexity of implementation of such code, which is non-trivial. So it is an open question whether the punishment mechanism is even worth implementing at all. If it is, the benefit is small and does not mitigate nothing at stake attack.
Another way to "prevent" nothing at stake attack is to have "rounds" or "epochs" for which minters are pre-selected, usually in random order and so it is obvious who can mine at which time upfront and no one else can. I am not sure if this is what you call quorum-based PoS. Anyway, this setup mitigates nothing at stake, but - as per my claim above - it introduces a problem elsewhere. Here it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system. In systems where anyone can come up with the next block, it is difficult to perform such DDOS because you need to perform it against everyone. In this setup, however, you have one target at the time. Moreover, when it is your turn to act, you can delay your block creation up to the end of the slot, creating a race condition in the consensus that is hard to solve. Again, this is not trivial to get right and is often vulnerable to attacks.
So while you can claim that the "naive nothing at stake attack" is solved today, in general, it is not solved and claiming it is very misleading. It is a natural problem to PoS that each system that exists today tries to tackle somehow and I am not aware of any system that would actually solve it without not introducing a problem elsewhere (this could include DoS, centralization, and other kinds). It is all about choosing your tradeoffs but there is no solution to nothing at stake I am aware of that would be without critical tradeoffs.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, May 24, 2021 9:43 PM, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> proof of burn clearly solves this, since nothing is held online
>
> Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>
>> your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>
> So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>
>> proof of burn can be more secure than proof-of-stake
>
> FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>
> On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>
>>> I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>
>> proof of burn clearly solves this, since nothing is held online
>>
>>> how does proof of burn solve the "nothing at stake" problem in your view?
>>
>> definition of nothing at stake: in the event of a fork, whether the
>> fork is accidental or a malicious, the optimal strategy for any miner
>> is to mine on every chain, so that the miner gets their reward no
>> matter which fork wins. indeed in proof-of-stake, the proofs are
>> published on the very chains mines, so the incentive is magnified.
>>
>> in proof-of-burn, your burn investment is always "at stake", any
>> redaction can result in a loss-of-burn, because burns can be tied,
>> precisely, to block-heights
>>
>> as a result, miners no longer have an incentive to mine all chains
>>
>> in this way proof of burn can be more secure than proof-of-stake, and
>> even more secure than proof of work
>>
>>>
>>
>> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>> Hi Billy,
>>>
>>> I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>>> Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>>
>>> Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>>> PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>>> In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>>> As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>>> At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>>> In PoS systems this clean separation of responsibilities does not exist.
>>>
>>> I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>>> People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>>> But the devil is in the detail.
>>> Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>>>
>>> ### Proof of SquareSpace (Cardano, Polkdadot)
>>>
>>> Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>>> In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>>> I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>>> On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>>>
>>> 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>>>
>>> 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>>>
>>> 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>>> I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>>> In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>>>
>>> There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>>> Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>>> It also grows the size of the blockchain significantly.
>>>
>>> ### "Pure" proof of stake (Algorand)
>>>
>>> Algorand's[4] approach is to only allow online stake to participate in the protocol.
>>> Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>>> Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>>> Hopefully you've spotted the problem.
>>> You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>>> Damn it's still Proof-of-SquareSpace!
>>> The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>>> Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>>>
>>> ### Conclusion
>>>
>>> I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>> If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>>>
>>> For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>>> After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>>> Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>>> For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>>>
>>> I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>>>
>>> Would be interested to know if you or others think differently on these points.
>>>
>>> [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>> [2]: https://staking.staked.us/algorand-staking
>>> [3]: https://eprint.iacr.org/2017/573.pdf
>>> [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>> [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>>
>>> Cheers,
>>>
>>> LL
>>>
>>> On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>
>>>> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>>>
>>>> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>>>> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>>>> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>>>> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>>>> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>>>
>>>> > Proof-of-stake tends towards oligopolistic control
>>>>
>>>> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>>>
>>>> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>>>
>>>> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>>>
>>>> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>>>
>>>> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>>>
>>>> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>>>
>>>> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>>>
>>>> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>>>
>>>> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>>>
>>>> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>>>
>>>> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>>>
>>>>
>>>> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>
>>>>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>>>
>>>>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>>>>
>>>>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>>>>
>>>>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>>>>
>>>>>> Cheers,
>>>>>> Mike
>>>>>>
>>>>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>>>
>>>>>>> 1. i never suggested vdf's to replace pow.
>>>>>>>
>>>>>>> 2. my suggestion was specifically *in the context of* a working
>>>>>>> proof-of-burn protocol
>>>>>>>
>>>>>>> - vdfs used only for timing (not block height)
>>>>>>> - blind-burned coins of a specific age used to replace proof of work
>>>>>>> - the required "work" per block would simply be a competition to
>>>>>>> acquire rewards, and so miners would have to burn coins, well in
>>>>>>> advance, and hope that their burned coins got rewarded in some far
>>>>>>> future
>>>>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>>>>> value gained from proof of work... without some of the security
>>>>>>> drawbacks
>>>>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>>>>> losing their work in each block)
>>>>>>> - new burns can't be used
>>>>>>> - old burns age out (like ASICs do)
>>>>>>> - other requirements on burns might be needed to properly mirror the
>>>>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>>>>
>>>>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>>>>> might be more secure in the long run, and that if the entire space
>>>>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>>>>> up, and a hard-fork could be initiated.
>>>>>>>
>>>>>>> 4. i would never suggest such a thing unless i believed it was
>>>>>>> possible that consensus was possible. so no, this is not an "alt
>>>>>>> coin"
>>>>>>>
>>>>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>>>>> >
>>>>>>> > Hi ZmnSCPxj,
>>>>>>> >
>>>>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>>>>> >
>>>>>>> > Zac
>>>>>>> >
>>>>>>> >
>>>>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>>>>> >>
>>>>>>> >> Good morning Zac,
>>>>>>> >>
>>>>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>>>>> >> >
>>>>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>>>>> >> >
>>>>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>>>>> >> >
>>>>>>> >> > As a result, variation in block times will be greatly reduced.
>>>>>>> >>
>>>>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>>>>> >>
>>>>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>>>>> >>
>>>>>>> >> Regards,
>>>>>>> >> ZmnSCPxj
>>>>>>> _______________________________________________
>>>>>>> bitcoin-dev mailing list
>>>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Michael Dubrovsky
>>>>>> Founder; PoWx
>>>>>> www.PoWx.org
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Michael Dubrovsky
>>>>> Founder; PoWx
>>>>> www.PoWx.org
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 31347 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-25 1:52 ` Billy Tetrud
@ 2021-05-25 13:00 ` Erik Aronesty
2021-05-25 20:01 ` Billy Tetrud
0 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-25 13:00 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
> > you burn them to be used at a future particular block height
> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
could be right. the original idea was to have burns decay over time,
like ASIC's.
anyway the point was not that "i had a magic formula"
the point was that proof of burn is almost always better than proof of
stake - simply because the "proof" is on-chain, not sitting on a node
somewhere waiting to be stolen.
On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>
> Is this the kind of proof of burn you're talking about?
>
> > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
>
> What prevents you from attempting to mine block 553 on both chains?
>
> > miners have a very strong, long-term, investment in the stability of the chain.
>
> Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
>
> > you burn them to be used at a future particular block height
>
> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>
> > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
>
> Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
>
>
> On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>
>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>> > I'm fuzzy on how proof of burn works.
>>
>> when you burn coins, you burn them to be used at a future particular
>> block height: so if i'm burning for block 553, i can only use them to
>> mine block 553. if i have a choice between two chains, one longer
>> and one shorter, i can only choose one... deterministically, for that
>> burn: the chain with the height 553. if we fix the "lead time" for
>> burned coins to be weeks or even months in advance, miners have a very
>> strong, long-term, investment in the stability of the chain.
>>
>> therefore there is no "nothing at stake" problem. it's
>> deterministic, so miners have no choice. they can *only* choose the
>> transactions that go into the block. they cannot choose which chain
>> to mine, and it's time-locked, so rollbacks and instability always
>> hurt miners the most.
>>
>> the "punishment" systems of PoS are "weird at best", certainly
>> unproven. i can imagine scenarios where large stakeholders can
>> collude to punish smaller stakeholders simply to drive them out of
>> business, for example. and then you have to put checks in place to
>> prevent that, and more checks for those prevention system...
>>
>> in PoB, there is no complexity. simpler systems like this are
>> typically more secure.
>>
>> PoB also solves problems caused by "energy dependence", which could
>> lead to state monopolies on mining (like the new Bitcoin Mining
>> Council). these consortiums, if state sanctioned, could become a
>> source of censorship, for example. Since PoB doesn't require you to
>> have a live, well-connected node, it's harder to censor & harder to
>> trace.
>>
>> Eliminating this weakness seems to be in the best interests of
>> existing stakeholders
>>
>>
>>
>>
>> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>> >
>> > > proof of burn clearly solves this, since nothing is held online
>> >
>> > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>> >
>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>> >
>> > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>> >
>> > > proof of burn can be more secure than proof-of-stake
>> >
>> > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>> >
>> >
>> >
>> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>> >>
>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>> >>
>> >> proof of burn clearly solves this, since nothing is held online
>> >>
>> >> > how does proof of burn solve the "nothing at stake" problem in your view?
>> >>
>> >> definition of nothing at stake: in the event of a fork, whether the
>> >> fork is accidental or a malicious, the optimal strategy for any miner
>> >> is to mine on every chain, so that the miner gets their reward no
>> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>> >> published on the very chains mines, so the incentive is magnified.
>> >>
>> >> in proof-of-burn, your burn investment is always "at stake", any
>> >> redaction can result in a loss-of-burn, because burns can be tied,
>> >> precisely, to block-heights
>> >>
>> >> as a result, miners no longer have an incentive to mine all chains
>> >>
>> >> in this way proof of burn can be more secure than proof-of-stake, and
>> >> even more secure than proof of work
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> >
>> >>
>> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >
>> >> > Hi Billy,
>> >> >
>> >> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>> >> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>> >> >
>> >> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>> >> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>> >> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>> >> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>> >> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>> >> > In PoS systems this clean separation of responsibilities does not exist.
>> >> >
>> >> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>> >> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>> >> > But the devil is in the detail.
>> >> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>> >> >
>> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>> >> >
>> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>> >> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>> >> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>> >> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>> >> >
>> >> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>> >> >
>> >> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>> >> >
>> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>> >> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>> >> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>> >> >
>> >> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>> >> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>> >> > It also grows the size of the blockchain significantly.
>> >> >
>> >> > ### "Pure" proof of stake (Algorand)
>> >> >
>> >> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>> >> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>> >> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>> >> > Hopefully you've spotted the problem.
>> >> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>> >> > Damn it's still Proof-of-SquareSpace!
>> >> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>> >> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>> >> >
>> >> > ### Conclusion
>> >> >
>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>> >> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>> >> >
>> >> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>> >> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>> >> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>> >> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>> >> >
>> >> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>> >> >
>> >> > Would be interested to know if you or others think differently on these points.
>> >> >
>> >> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>> >> > [2]: https://staking.staked.us/algorand-staking
>> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>> >> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>> >> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>> >> >
>> >> > Cheers,
>> >> >
>> >> > LL
>> >> >
>> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >>
>> >> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>> >> >>
>> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>> >> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>> >> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>> >> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>> >> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>> >> >>
>> >> >> > Proof-of-stake tends towards oligopolistic control
>> >> >>
>> >> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>> >> >>
>> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>> >> >>
>> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>> >> >>
>> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>> >> >>
>> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>> >> >>
>> >> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>> >> >>
>> >> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>> >> >>
>> >> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>> >> >>
>> >> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>> >> >>
>> >> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>> >> >>
>> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>> >> >>
>> >> >>
>> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >>>
>> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>> >> >>>
>> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>> >> >>>>
>> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>> >> >>>>
>> >> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>> >> >>>>
>> >> >>>> Cheers,
>> >> >>>> Mike
>> >> >>>>
>> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >>>>>
>> >> >>>>> 1. i never suggested vdf's to replace pow.
>> >> >>>>>
>> >> >>>>> 2. my suggestion was specifically *in the context of* a working
>> >> >>>>> proof-of-burn protocol
>> >> >>>>>
>> >> >>>>> - vdfs used only for timing (not block height)
>> >> >>>>> - blind-burned coins of a specific age used to replace proof of work
>> >> >>>>> - the required "work" per block would simply be a competition to
>> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
>> >> >>>>> advance, and hope that their burned coins got rewarded in some far
>> >> >>>>> future
>> >> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>> >> >>>>> value gained from proof of work... without some of the security
>> >> >>>>> drawbacks
>> >> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>> >> >>>>> losing their work in each block)
>> >> >>>>> - new burns can't be used
>> >> >>>>> - old burns age out (like ASICs do)
>> >> >>>>> - other requirements on burns might be needed to properly mirror the
>> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>> >> >>>>>
>> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>> >> >>>>> might be more secure in the long run, and that if the entire space
>> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>> >> >>>>> up, and a hard-fork could be initiated.
>> >> >>>>>
>> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>> >> >>>>> possible that consensus was possible. so no, this is not an "alt
>> >> >>>>> coin"
>> >> >>>>>
>> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>> >> >>>>> >
>> >> >>>>> > Hi ZmnSCPxj,
>> >> >>>>> >
>> >> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>> >> >>>>> >
>> >> >>>>> > Zac
>> >> >>>>> >
>> >> >>>>> >
>> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>> >> >>>>> >>
>> >> >>>>> >> Good morning Zac,
>> >> >>>>> >>
>> >> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>> >> >>>>> >> >
>> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>> >> >>>>> >> >
>> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>> >> >>>>> >> >
>> >> >>>>> >> > As a result, variation in block times will be greatly reduced.
>> >> >>>>> >>
>> >> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>> >> >>>>> >>
>> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>> >> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>> >> >>>>> >>
>> >> >>>>> >> Regards,
>> >> >>>>> >> ZmnSCPxj
>> >> >>>>> _______________________________________________
>> >> >>>>> bitcoin-dev mailing list
>> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> --
>> >> >>>> Michael Dubrovsky
>> >> >>>> Founder; PoWx
>> >> >>>> www.PoWx.org
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> --
>> >> >>> Michael Dubrovsky
>> >> >>> Founder; PoWx
>> >> >>> www.PoWx.org
>> >> >>> _______________________________________________
>> >> >>> bitcoin-dev mailing list
>> >> >>> bitcoin-dev@lists.linuxfoundation.org
>> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >> >>
>> >> >> _______________________________________________
>> >> >> bitcoin-dev mailing list
>> >> >> bitcoin-dev@lists.linuxfoundation.org
>> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >> >
>> >> > _______________________________________________
>> >> > bitcoin-dev mailing list
>> >> > bitcoin-dev@lists.linuxfoundation.org
>> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-25 13:00 ` Erik Aronesty
@ 2021-05-25 20:01 ` Billy Tetrud
2021-05-25 21:10 ` befreeandopen
0 siblings, 1 reply; 67+ messages in thread
From: Billy Tetrud @ 2021-05-25 20:01 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 28440 bytes --]
@befreeandopen " An attacker can calculate whether or not she can prolong
this chain or not and if so with what timestamp."
The scenario you describe would only be likely to happen at all if the
malicious actor has a very large fraction of the stake - probably quite
close to 50%. At that point, you're talking about a 51% attack, not the
nothing at stake problem. The nothing at stake problem is the problem where
anyone will mint on any chain. Its clear that if there's a substantial
punishment for minting on chains other than the one that eventually wins,
every minter without a significant fraction of the stake will be honest and
not attempt to mint on old blocks or support someone else's attempt to mint
on old blocks (until and if it becomes the heaviest chain). Because the
attacker would need probably >45% of the active stake (take a look at
the reasoning
here
<https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack>
for a deeper analysis of that statement), I don't agree that punishment is
not a sufficient mitigation of the nothing at stake problem. To exploit the
nothing at stake problem, you basically need to 51% attack, at which point
you've exceeded the operating conditions of the system, so of course its
gonna have problems, just like a 51% attack would cause with PoW.
> I am not sure if this is what you call quorum-based PoS
Yes, pre-selected minters is exactly what I mean by that.
> it allows the attacker to know who to attack at which point with powerful
DDOS in order to hurt liveness of such system
Just like in bitcoin, associating keys with IP addresses isn't generally an
easy thing to do on the fly like that. If you know someone's IP address,
you can target them. But if you only know their address or public key, the
reverse isn't as easy. With a quorum-based PoS system, you can see their
public key and address, but finding out their IP to DOS would be a huge
challenge I think.
Note, tho, that quorum-based PoS generally also have punishments as part of
the protocol. The introduction of punishments do indeed handily solve the
nothing at stake problem. And you didn't mention a single problem that the
punishments introduce that weren't already there before punishments. There
are tradeoffs with introducing punishments (eg in some cases you might
punish honest actors), but they are minor in comparison to solving the
nothing at stake problem.
So I don't think it is at all misleading to claim that "nothing at stake"
is a solved problem. I do in fact mean that the solutions to that problem
don't introduce any other problems with anywhere near the same level of
significance.
On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
> > > you burn them to be used at a future particular block height
>
> > This sounds exploitable. It seems like an attacker could simply focus
> all their burns on a particular set of 6 blocks to double spend, minimizing
> their cost of attack.
>
> could be right. the original idea was to have burns decay over time,
> like ASIC's.
>
> anyway the point was not that "i had a magic formula"
>
> the point was that proof of burn is almost always better than proof of
> stake - simply because the "proof" is on-chain, not sitting on a node
> somewhere waiting to be stolen.
>
> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com>
> wrote:
> >
> > Is this the kind of proof of burn you're talking about?
> >
> > > if i have a choice between two chains, one longer and one shorter, i
> can only choose one... deterministically
> >
> > What prevents you from attempting to mine block 553 on both chains?
> >
> > > miners have a very strong, long-term, investment in the stability of
> the chain.
> >
> > Yes, but the same can be said of any coin, even ones that do have the
> nothing at stake problem. This isn't sufficient tho because the chain is a
> common good, and the tragedy of the commons holds for it.
> >
> > > you burn them to be used at a future particular block height
> >
> > This sounds exploitable. It seems like an attacker could simply focus
> all their burns on a particular set of 6 blocks to double spend, minimizing
> their cost of attack.
> >
> > > i can imagine scenarios where large stakeholders can collude to punish
> smaller stakeholders simply to drive them out of business, for example
> >
> > Are you talking about a 51% attack? This is possible in any
> decentralized cryptocurrency.
> >
> >
> > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
> >>
> >> > > your burn investment is always "at stake", any redaction can result
> in a loss-of-burn, because burns can be tied, precisely, to block-heights
> >> > I'm fuzzy on how proof of burn works.
> >>
> >> when you burn coins, you burn them to be used at a future particular
> >> block height: so if i'm burning for block 553, i can only use them to
> >> mine block 553. if i have a choice between two chains, one longer
> >> and one shorter, i can only choose one... deterministically, for that
> >> burn: the chain with the height 553. if we fix the "lead time" for
> >> burned coins to be weeks or even months in advance, miners have a very
> >> strong, long-term, investment in the stability of the chain.
> >>
> >> therefore there is no "nothing at stake" problem. it's
> >> deterministic, so miners have no choice. they can *only* choose the
> >> transactions that go into the block. they cannot choose which chain
> >> to mine, and it's time-locked, so rollbacks and instability always
> >> hurt miners the most.
> >>
> >> the "punishment" systems of PoS are "weird at best", certainly
> >> unproven. i can imagine scenarios where large stakeholders can
> >> collude to punish smaller stakeholders simply to drive them out of
> >> business, for example. and then you have to put checks in place to
> >> prevent that, and more checks for those prevention system...
> >>
> >> in PoB, there is no complexity. simpler systems like this are
> >> typically more secure.
> >>
> >> PoB also solves problems caused by "energy dependence", which could
> >> lead to state monopolies on mining (like the new Bitcoin Mining
> >> Council). these consortiums, if state sanctioned, could become a
> >> source of censorship, for example. Since PoB doesn't require you to
> >> have a live, well-connected node, it's harder to censor & harder to
> >> trace.
> >>
> >> Eliminating this weakness seems to be in the best interests of
> >> existing stakeholders
> >>
> >>
> >>
> >>
> >> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com>
> wrote:
> >> >
> >> > > proof of burn clearly solves this, since nothing is held online
> >> >
> >> > Well.. the coins to be burned need to be online when they're burned.
> But yes, only a small fraction of the total coins need to be online.
> >> >
> >> > > your burn investment is always "at stake", any redaction can result
> in a loss-of-burn, because burns can be tied, precisely, to block-heights
> >> >
> >> > So you're saying that if say someone tries to mine a block on a
> shorter chain, that requires them to send a transaction burning their
> coins, and that transaction could also be spent on the longest chain, which
> means their coins are burned even if the chain they tried to mine on
> doesn't win? I'm fuzzy on how proof of burn works.
> >> >
> >> > > proof of burn can be more secure than proof-of-stake
> >> >
> >> > FYI, proof of stake can be done without the "nothing at stake"
> problem. You can simply punish people who mint on shorter chains (by
> rewarding people who publish proofs of this happening on the main chain).
> In quorum-based PoS, you can punish people in the quorum that propose or
> sign multiple blocks for the same height. The "nothing at stake" problem is
> a solved problem at this point for PoS.
> >> >
> >> >
> >> >
> >> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
> >> >>
> >> >> > I don't see a way to get around the conflicting requirement that
> the keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
> >> >>
> >> >> proof of burn clearly solves this, since nothing is held online
> >> >>
> >> >> > how does proof of burn solve the "nothing at stake" problem in
> your view?
> >> >>
> >> >> definition of nothing at stake: in the event of a fork, whether the
> >> >> fork is accidental or a malicious, the optimal strategy for any miner
> >> >> is to mine on every chain, so that the miner gets their reward no
> >> >> matter which fork wins. indeed in proof-of-stake, the proofs are
> >> >> published on the very chains mines, so the incentive is magnified.
> >> >>
> >> >> in proof-of-burn, your burn investment is always "at stake", any
> >> >> redaction can result in a loss-of-burn, because burns can be tied,
> >> >> precisely, to block-heights
> >> >>
> >> >> as a result, miners no longer have an incentive to mine all chains
> >> >>
> >> >> in this way proof of burn can be more secure than proof-of-stake, and
> >> >> even more secure than proof of work
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> >
> >> >>
> >> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >> >
> >> >> > Hi Billy,
> >> >> >
> >> >> > I was going to write a post which started by dismissing many of
> the weak arguments that are made against PoS made in this thread and
> elsewhere.
> >> >> > Although I don't agree with all your points you have done a decent
> job here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
> >> >> >
> >> >> > Proof of stake is not fit for purpose for a global settlement
> layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin
> is trying to be.
> >> >> > PoS necessarily gives responsibilities to the holders of coins
> that they do not want and cannot handle.
> >> >> > In Bitcoin, large unsophisticated coin holders can put their coins
> in cold storage without a second thought given to the health of the
> underlying ledger.
> >> >> > As much as hardcore Bitcoiners try to convince them to run their
> own node, most don't, and that's perfectly acceptable.
> >> >> > At no point do their personal decisions affect the underlying
> consensus -- it only affects their personal security assurance (not that of
> the system itself).
> >> >> > In PoS systems this clean separation of responsibilities does not
> exist.
> >> >> >
> >> >> > I think that the more rigorously studied PoS protocols will work
> fine within the security claims made in their papers.
> >> >> > People who believe that these protocols are destined for
> catastrophic consensus failure are certainly in for a surprise.
> >> >> > But the devil is in the detail.
> >> >> > Let's look at what the implications of using the leading proof of
> stake protocols would have on Bitcoin:
> >> >> >
> >> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
> >> >> >
> >> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with
> an inbuilt on-chain delegation system[5].
> >> >> > In these protocols, coin holders who do not want to run their node
> with their hot keys in it delegate it to a "Stake Pool".
> >> >> > I call the resulting system Proof-of-SquareSpace since most will
> choose a pool by looking around for one with a nice website and offering
> the largest share of the block reward.
> >> >> > On the surface this might sound no different than someone with an
> mining rig shopping around for a good mining pool but there are crucial
> differences:
> >> >> >
> >> >> > 1. The person making the decision is forced into it just because
> they own the currency -- someone with a mining rig has purchased it with
> the intent to make profit by participating in consensus.
> >> >> >
> >> >> > 2. When you join a mining pool your systems are very much still
> online. You are just partaking in a pool to reduce your profit variance.
> You still see every block that you help create and *you never help create a
> block without seeing it first*.
> >> >> >
> >> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority
> and start censoring transactions how are the users meant to redelegate
> their stake to honest pools?
> >> >> > I guess they can just send a transaction delegating to another
> pool...oh wait I guess that might be censored too! This seems really really
> bad.
> >> >> > In Bitcoin, miners can just join a different pool at a whim. There
> is nothing the attacker can do to stop them. A temporary dishonest majority
> heals relatively well.
> >> >> >
> >> >> > There is another severe disadvantage to this on-chain delegation
> system: every UTXO must indicate which staking account this UTXO belongs to
> so the appropriate share of block rewards can be transferred there.
> >> >> > Being able to associate every UTXO to an account ruins one of the
> main privacy advantages of the UTXO model.
> >> >> > It also grows the size of the blockchain significantly.
> >> >> >
> >> >> > ### "Pure" proof of stake (Algorand)
> >> >> >
> >> >> > Algorand's[4] approach is to only allow online stake to
> participate in the protocol.
> >> >> > Theoretically, This means that keys holding funds have to be
> online in order for them to author blocks when they are chosen.
> >> >> > Of course in reality no one wants to keep their coin holding keys
> online so in Alogorand you can authorize a set of "participation keys"[1]
> that will be used to create blocks on your coin holding key's behalf.
> >> >> > Hopefully you've spotted the problem.
> >> >> > You can send your participation keys to any malicious party with a
> nice website (see random example [2]) offering you a good return.
> >> >> > Damn it's still Proof-of-SquareSpace!
> >> >> > The minor advantage is that at least the participation keys expire
> after a certain amount of time so eventually the SquareSpace attacker will
> lose their hold on consensus.
> >> >> > Importantly there is also less junk on the blockchain because the
> participation keys are delegated off-chain and so are not making as much of
> a mess.
> >> >> >
> >> >> > ### Conclusion
> >> >> >
> >> >> > I don't see a way to get around the conflicting requirement that
> the keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
> >> >> > If we allow delegation then we open up a new social attack surface
> and it degenerates to Proof-of-SquareSpace.
> >> >> >
> >> >> > For a "digital gold" like system like Bitcoin we optimize for
> simplicity and desperately want to avoid extraneous responsibilities for
> the holder of the coin.
> >> >> > After all, gold is an inert element on the periodic table that
> doesn't confer responsibilities on the holder to maintain the quality of
> all the other bars of gold out there.
> >> >> > Bitcoin feels like this too and in many ways is more inert and
> beautifully boring than gold.
> >> >> > For Bitcoin to succeed I think we need to keep it that way and
> Proof-of-Stake makes everything a bit too exciting.
> >> >> >
> >> >> > I suppose in the end the market will decide what is real digital
> gold and whether these bad technical trade offs are worth being able to say
> it uses less electricity. It goes without saying that making bad technical
> decisions to appease the current political climate is an anathema to
> Bitcoin.
> >> >> >
> >> >> > Would be interested to know if you or others think differently on
> these points.
> >> >> >
> >> >> > [1]:
> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
> >> >> > [2]: https://staking.staked.us/algorand-staking
> >> >> > [3]: https://eprint.iacr.org/2017/573.pdf
> >> >> > [4]:
> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
> >> >> > [5]:
> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
> >> >> >
> >> >> > Cheers,
> >> >> >
> >> >> > LL
> >> >> >
> >> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >> >>
> >> >> >> I think there is a lot of misinformation and bias against Proof
> of Stake. Yes there have been lots of shady coins that use insecure PoS
> mechanisms. Yes there have been massive issues with distribution of PoS
> coins (of course there have also been massive issues with PoW coins as
> well). However, I want to remind everyone that there is a difference
> between "proved to be impossible" and "have not achieved recognized success
> yet". Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
> >> >> >>
> >> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is
> worse when a 51% attack happens. While I agree, I think that line of
> thinking omits important facts:
> >> >> >> * The capital required to 51% attack a PoS chain can be made
> substantially greater than on a PoS chain.
> >> >> >> * The capital the attacker stands to lose can be substantially
> greater as well if the attack is successful.
> >> >> >> * The effectiveness of paying miners to raise the honest fraction
> of miners above 50% may be quite bad.
> >> >> >> * Allowing a 51% attack is already unacceptable. It should be
> considered whether what happens in the case of a 51% may not be
> significantly different. The currency would likely be critically damaged in
> a 51% attack regardless of consensus mechanism.
> >> >> >>
> >> >> >> > Proof-of-stake tends towards oligopolistic control
> >> >> >>
> >> >> >> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
> >> >> >>
> >> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> >> >> >>
> >> >> >> I certainly agree. Bitcoin's energy usage at the moment is I
> think quite warranted. However, the question is: can we do substantially
> better. I think if we can, we probably should... eventually.
> >> >> >>
> >> >> >> > Proof of Stake is only resilient to ⅓ of the network
> demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to
> the ½ threshold
> >> >> >>
> >> >> >> I see no mention of this in the pos.pdf you linked to. I'm not
> aware of any proof that all PoS systems have a failure threshold of 1/3. I
> know that staking systems like Casper do in fact have that 1/3 requirement.
> However there are PoS designs that should exceed that up to nearly 50% as
> far as I'm aware. Proof of work is not in fact resilient up to the 1/2
> threshold in the way you would think. IE, if 100% of miners are currently
> honest and have a collective 100 exahashes/s hashpower, an attacker does
> not need to obtain 100 exahashes/s, but actually only needs to accumulate
> 50 exahashes/s. This is because as the attacker accumulates hashpower, it
> drives honest miners out of the market as the difficulty increases to
> beyond what is economically sustainable. Also, its been shown that the best
> proof of work can do is require an attacker to obtain 33% of the hashpower
> because of the selfish mining attack discussed in depth in this paper:
> https://arxiv.org/abs/1311.0243. Together, both of these things reduce
> PoW's security by a factor of about 83% (1 - 50%*33%).
> >> >> >>
> >> >> >> > Proof of Stake requires other trade-offs which are
> incompatible with Bitcoin's objective (to be a trustless digital cash) —
> specifically the famous "security vs. liveness" guarantee
> >> >> >>
> >> >> >> Do you have a good source that talks about why you think proof of
> stake cannot be used for a trustless digital cash?
> >> >> >>
> >> >> >> > You cannot gain tokens without someone choosing to give up
> those coins - a form of permission.
> >> >> >>
> >> >> >> This is not a practical constraint. Just like in mining, some
> nodes may reject you, but there will likely be more that will accept you,
> some sellers may reject you, but most would accept your money as payment
> for bitcoins. I don't think requiring the "permission" of one of millions
> of people in the market can be reasonably considered a "permissioned
> currency".
> >> >> >>
> >> >> >> > 2. Proof of stake must have a trusted means of timestamping to
> regulate overproduction of blocks
> >> >> >>
> >> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone
> agreed to double their clock speeds. Both systems rely on an honest
> majority sticking to standard time.
> >> >> >>
> >> >> >>
> >> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >> >>>
> >> >> >>> Ah sorry, I didn't realize this was, in fact, a different
> thread! :)
> >> >> >>>
> >> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <
> mike@powx.org> wrote:
> >> >> >>>>
> >> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the
> BIP itself. PoS, VDFs, and so on are interesting but I guess there are
> other threads going on these topics already where they would be relevant.
> >> >> >>>>
> >> >> >>>> Also, it's important to distinguish between oPoW and these
> other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't
> alter the core game theory or security assumptions of Hashcash and actually
> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> >> >> >>>>
> >> >> >>>> Cheers,
> >> >> >>>> Mike
> >> >> >>>>
> >> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >> >>>>>
> >> >> >>>>> 1. i never suggested vdf's to replace pow.
> >> >> >>>>>
> >> >> >>>>> 2. my suggestion was specifically *in the context of* a working
> >> >> >>>>> proof-of-burn protocol
> >> >> >>>>>
> >> >> >>>>> - vdfs used only for timing (not block height)
> >> >> >>>>> - blind-burned coins of a specific age used to replace proof
> of work
> >> >> >>>>> - the required "work" per block would simply be a competition
> to
> >> >> >>>>> acquire rewards, and so miners would have to burn coins, well
> in
> >> >> >>>>> advance, and hope that their burned coins got rewarded in some
> far
> >> >> >>>>> future
> >> >> >>>>> - the point of burned coins is to mimic, in every meaningful
> way, the
> >> >> >>>>> value gained from proof of work... without some of the security
> >> >> >>>>> drawbacks
> >> >> >>>>> - the miner risks losing all of his burned coins (like all
> miners risk
> >> >> >>>>> losing their work in each block)
> >> >> >>>>> - new burns can't be used
> >> >> >>>>> - old burns age out (like ASICs do)
> >> >> >>>>> - other requirements on burns might be needed to properly
> mirror the
> >> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine
> honestly.
> >> >> >>>>>
> >> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf
> system"
> >> >> >>>>> might be more secure in the long run, and that if the entire
> space
> >> >> >>>>> agreed that such an endeavor was worthwhile, a test net could
> be spun
> >> >> >>>>> up, and a hard-fork could be initiated.
> >> >> >>>>>
> >> >> >>>>> 4. i would never suggest such a thing unless i believed it was
> >> >> >>>>> possible that consensus was possible. so no, this is not an
> "alt
> >> >> >>>>> coin"
> >> >> >>>>>
> >> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <
> zachgrw@gmail.com> wrote:
> >> >> >>>>> >
> >> >> >>>>> > Hi ZmnSCPxj,
> >> >> >>>>> >
> >> >> >>>>> > Please note that I am not suggesting VDFs as a means to save
> energy, but solely as a means to make the time between blocks more constant.
> >> >> >>>>> >
> >> >> >>>>> > Zac
> >> >> >>>>> >
> >> >> >>>>> >
> >> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <
> ZmnSCPxj@protonmail.com> wrote:
> >> >> >>>>> >>
> >> >> >>>>> >> Good morning Zac,
> >> >> >>>>> >>
> >> >> >>>>> >> > VDFs might enable more constant block times, for instance
> by having a two-step PoW:
> >> >> >>>>> >> >
> >> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF
> being subject to difficulty adjustments similar to the as-is). As per the
> property of VDFs, miners are able show proof of work.
> >> >> >>>>> >> >
> >> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so
> finding a block takes 1 minute on average, again subject to as-is
> difficulty adjustments.
> >> >> >>>>> >> >
> >> >> >>>>> >> > As a result, variation in block times will be greatly
> reduced.
> >> >> >>>>> >>
> >> >> >>>>> >> As I understand it, another weakness of VDFs is that they
> are not inherently progress-free (their sequential nature prevents that;
> they are inherently progress-requiring).
> >> >> >>>>> >>
> >> >> >>>>> >> Thus, a miner which focuses on improving the amount of
> energy that it can pump into the VDF circuitry (by overclocking and
> freezing the circuitry), could potentially get into a winner-takes-all
> situation, possibly leading to even *worse* competition and even *more*
> energy consumption.
> >> >> >>>>> >> After all, if you can start mining 0.1s faster than the
> competition, that is a 0.1s advantage where *only you* can mine *in the
> entire world*.
> >> >> >>>>> >>
> >> >> >>>>> >> Regards,
> >> >> >>>>> >> ZmnSCPxj
> >> >> >>>>> _______________________________________________
> >> >> >>>>> bitcoin-dev mailing list
> >> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
> >> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> >> >> >>>> --
> >> >> >>>> Michael Dubrovsky
> >> >> >>>> Founder; PoWx
> >> >> >>>> www.PoWx.org
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> --
> >> >> >>> Michael Dubrovsky
> >> >> >>> Founder; PoWx
> >> >> >>> www.PoWx.org
> >> >> >>> _______________________________________________
> >> >> >>> bitcoin-dev mailing list
> >> >> >>> bitcoin-dev@lists.linuxfoundation.org
> >> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> bitcoin-dev mailing list
> >> >> >> bitcoin-dev@lists.linuxfoundation.org
> >> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> >> >
> >> >> > _______________________________________________
> >> >> > bitcoin-dev mailing list
> >> >> > bitcoin-dev@lists.linuxfoundation.org
> >> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 37102 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-25 20:01 ` Billy Tetrud
@ 2021-05-25 21:10 ` befreeandopen
2021-05-26 6:53 ` Billy Tetrud
0 siblings, 1 reply; 67+ messages in thread
From: befreeandopen @ 2021-05-25 21:10 UTC (permalink / raw)
To: Billy Tetrud, Bitcoin Protocol Discussion; +Cc: SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 31911 bytes --]
> @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
>
> The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the [reasoning here](https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack) for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
>> I am not sure if this is what you call quorum-based PoS
>
> Yes, pre-selected minters is exactly what I mean by that.
>
>> it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
>
> Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>
>>> > you burn them to be used at a future particular block height
>>
>>> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>
>> could be right. the original idea was to have burns decay over time,
>> like ASIC's.
>>
>> anyway the point was not that "i had a magic formula"
>>
>> the point was that proof of burn is almost always better than proof of
>> stake - simply because the "proof" is on-chain, not sitting on a node
>> somewhere waiting to be stolen.
>>
>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>
>>> Is this the kind of proof of burn you're talking about?
>>>
>>> > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
>>>
>>> What prevents you from attempting to mine block 553 on both chains?
>>>
>>> > miners have a very strong, long-term, investment in the stability of the chain.
>>>
>>> Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
>>>
>>> > you burn them to be used at a future particular block height
>>>
>>> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>
>>> > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
>>>
>>> Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
>>>
>>>
>>> On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>>>
>>>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>> > I'm fuzzy on how proof of burn works.
>>>>
>>>> when you burn coins, you burn them to be used at a future particular
>>>> block height: so if i'm burning for block 553, i can only use them to
>>>> mine block 553. if i have a choice between two chains, one longer
>>>> and one shorter, i can only choose one... deterministically, for that
>>>> burn: the chain with the height 553. if we fix the "lead time" for
>>>> burned coins to be weeks or even months in advance, miners have a very
>>>> strong, long-term, investment in the stability of the chain.
>>>>
>>>> therefore there is no "nothing at stake" problem. it's
>>>> deterministic, so miners have no choice. they can *only* choose the
>>>> transactions that go into the block. they cannot choose which chain
>>>> to mine, and it's time-locked, so rollbacks and instability always
>>>> hurt miners the most.
>>>>
>>>> the "punishment" systems of PoS are "weird at best", certainly
>>>> unproven. i can imagine scenarios where large stakeholders can
>>>> collude to punish smaller stakeholders simply to drive them out of
>>>> business, for example. and then you have to put checks in place to
>>>> prevent that, and more checks for those prevention system...
>>>>
>>>> in PoB, there is no complexity. simpler systems like this are
>>>> typically more secure.
>>>>
>>>> PoB also solves problems caused by "energy dependence", which could
>>>> lead to state monopolies on mining (like the new Bitcoin Mining
>>>> Council). these consortiums, if state sanctioned, could become a
>>>> source of censorship, for example. Since PoB doesn't require you to
>>>> have a live, well-connected node, it's harder to censor & harder to
>>>> trace.
>>>>
>>>> Eliminating this weakness seems to be in the best interests of
>>>> existing stakeholders
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>> >
>>>> > > proof of burn clearly solves this, since nothing is held online
>>>> >
>>>> > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>>>> >
>>>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>> >
>>>> > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>>>> >
>>>> > > proof of burn can be more secure than proof-of-stake
>>>> >
>>>> > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>>>> >
>>>> >
>>>> >
>>>> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>>> >>
>>>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>> >>
>>>> >> proof of burn clearly solves this, since nothing is held online
>>>> >>
>>>> >> > how does proof of burn solve the "nothing at stake" problem in your view?
>>>> >>
>>>> >> definition of nothing at stake: in the event of a fork, whether the
>>>> >> fork is accidental or a malicious, the optimal strategy for any miner
>>>> >> is to mine on every chain, so that the miner gets their reward no
>>>> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>>>> >> published on the very chains mines, so the incentive is magnified.
>>>> >>
>>>> >> in proof-of-burn, your burn investment is always "at stake", any
>>>> >> redaction can result in a loss-of-burn, because burns can be tied,
>>>> >> precisely, to block-heights
>>>> >>
>>>> >> as a result, miners no longer have an incentive to mine all chains
>>>> >>
>>>> >> in this way proof of burn can be more secure than proof-of-stake, and
>>>> >> even more secure than proof of work
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> >
>>>> >>
>>>> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >
>>>> >> > Hi Billy,
>>>> >> >
>>>> >> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>>>> >> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>>> >> >
>>>> >> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>>>> >> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>>>> >> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>>>> >> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>>>> >> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>>>> >> > In PoS systems this clean separation of responsibilities does not exist.
>>>> >> >
>>>> >> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>>>> >> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>>>> >> > But the devil is in the detail.
>>>> >> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>>>> >> >
>>>> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>>>> >> >
>>>> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>>>> >> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>>>> >> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>>>> >> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>>>> >> >
>>>> >> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>>>> >> >
>>>> >> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>>>> >> >
>>>> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>>>> >> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>>>> >> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>>>> >> >
>>>> >> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>>>> >> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>>>> >> > It also grows the size of the blockchain significantly.
>>>> >> >
>>>> >> > ### "Pure" proof of stake (Algorand)
>>>> >> >
>>>> >> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>>>> >> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>>>> >> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>>>> >> > Hopefully you've spotted the problem.
>>>> >> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>>>> >> > Damn it's still Proof-of-SquareSpace!
>>>> >> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>>>> >> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>>>> >> >
>>>> >> > ### Conclusion
>>>> >> >
>>>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>> >> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>>>> >> >
>>>> >> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>>>> >> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>>>> >> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>>>> >> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>>>> >> >
>>>> >> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>>>> >> >
>>>> >> > Would be interested to know if you or others think differently on these points.
>>>> >> >
>>>> >> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>>> >> > [2]: https://staking.staked.us/algorand-staking
>>>> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>>>> >> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>>> >> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>>> >> >
>>>> >> > Cheers,
>>>> >> >
>>>> >> > LL
>>>> >> >
>>>> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >>
>>>> >> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>>> >> >>
>>>> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>>>> >> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>>>> >> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>>>> >> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>>>> >> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>>> >> >>
>>>> >> >> > Proof-of-stake tends towards oligopolistic control
>>>> >> >>
>>>> >> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>>> >> >>
>>>> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>>> >> >>
>>>> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>>> >> >>
>>>> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>>> >> >>
>>>> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>>> >> >>
>>>> >> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>>> >> >>
>>>> >> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>>> >> >>
>>>> >> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>>> >> >>
>>>> >> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>>> >> >>
>>>> >> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>>> >> >>
>>>> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>>> >> >>
>>>> >> >>
>>>> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >>>
>>>> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>> >> >>>
>>>> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>> >> >>>>
>>>> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>> >> >>>>
>>>> >> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>> >> >>>>
>>>> >> >>>> Cheers,
>>>> >> >>>> Mike
>>>> >> >>>>
>>>> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >>>>>
>>>> >> >>>>> 1. i never suggested vdf's to replace pow.
>>>> >> >>>>>
>>>> >> >>>>> 2. my suggestion was specifically *in the context of* a working
>>>> >> >>>>> proof-of-burn protocol
>>>> >> >>>>>
>>>> >> >>>>> - vdfs used only for timing (not block height)
>>>> >> >>>>> - blind-burned coins of a specific age used to replace proof of work
>>>> >> >>>>> - the required "work" per block would simply be a competition to
>>>> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
>>>> >> >>>>> advance, and hope that their burned coins got rewarded in some far
>>>> >> >>>>> future
>>>> >> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>> >> >>>>> value gained from proof of work... without some of the security
>>>> >> >>>>> drawbacks
>>>> >> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>> >> >>>>> losing their work in each block)
>>>> >> >>>>> - new burns can't be used
>>>> >> >>>>> - old burns age out (like ASICs do)
>>>> >> >>>>> - other requirements on burns might be needed to properly mirror the
>>>> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>> >> >>>>>
>>>> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>> >> >>>>> might be more secure in the long run, and that if the entire space
>>>> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>> >> >>>>> up, and a hard-fork could be initiated.
>>>> >> >>>>>
>>>> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>>>> >> >>>>> possible that consensus was possible. so no, this is not an "alt
>>>> >> >>>>> coin"
>>>> >> >>>>>
>>>> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>> >> >>>>> >
>>>> >> >>>>> > Hi ZmnSCPxj,
>>>> >> >>>>> >
>>>> >> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>> >> >>>>> >
>>>> >> >>>>> > Zac
>>>> >> >>>>> >
>>>> >> >>>>> >
>>>> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>> >> >>>>> >>
>>>> >> >>>>> >> Good morning Zac,
>>>> >> >>>>> >>
>>>> >> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>> >> >>>>> >> >
>>>> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>> >> >>>>> >> >
>>>> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>> >> >>>>> >> >
>>>> >> >>>>> >> > As a result, variation in block times will be greatly reduced.
>>>> >> >>>>> >>
>>>> >> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>> >> >>>>> >>
>>>> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>> >> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>> >> >>>>> >>
>>>> >> >>>>> >> Regards,
>>>> >> >>>>> >> ZmnSCPxj
>>>> >> >>>>> _______________________________________________
>>>> >> >>>>> bitcoin-dev mailing list
>>>> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>> >> >>>>
>>>> >> >>>>
>>>> >> >>>>
>>>> >> >>>> --
>>>> >> >>>> Michael Dubrovsky
>>>> >> >>>> Founder; PoWx
>>>> >> >>>> www.PoWx.org
>>>> >> >>>
>>>> >> >>>
>>>> >> >>>
>>>> >> >>> --
>>>> >> >>> Michael Dubrovsky
>>>> >> >>> Founder; PoWx
>>>> >> >>> www.PoWx.org
>>>> >> >>> _______________________________________________
>>>> >> >>> bitcoin-dev mailing list
>>>> >> >>> bitcoin-dev@lists.linuxfoundation.org
>>>> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>> >> >>
>>>> >> >> _______________________________________________
>>>> >> >> bitcoin-dev mailing list
>>>> >> >> bitcoin-dev@lists.linuxfoundation.org
>>>> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>> >> >
>>>> >> > _______________________________________________
>>>> >> > bitcoin-dev mailing list
>>>> >> > bitcoin-dev@lists.linuxfoundation.org
>>>> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 45280 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-25 21:10 ` befreeandopen
@ 2021-05-26 6:53 ` Billy Tetrud
2021-05-26 13:11 ` befreeandopen
0 siblings, 1 reply; 67+ messages in thread
From: Billy Tetrud @ 2021-05-26 6:53 UTC (permalink / raw)
To: befreeandopen; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 37479 bytes --]
@befreeandopen I guess I misunderstood your selfish minting attack. Let me
make sure I understand it. You're saying it would go as follows?:
1. The malicious actor comes across an opportunity to mint the next 3
blocks. But they hold off and don't release their blocks just yet.
2. They receive a new block minted by someone else.
3. The malicious actor then chooses to release their other 2 blocks on on
the second from the top block if it gives them more blocks in the future
than minting on the top block. And instead lets the top block proceed if it
gives them more blocks in the future (also figuring in the 3 blocks they're
missing out on minting).
4. Profit!
The problem with this attack is that any self respecting PoS system
wouldn't have the information available for minters to know how blocks will
affect their future prospects of minting. Otherwise this would introduce
the problem of stake grinding. This can be done using collaborative
randomness (where numbers from many parties are combined to create a random
number that no individual party could predict). In fact, that's what the
Casper protocol does to decide quorums. In a non quorum case, you can do
something like record a hash of a number in the block header, and then have
a second step to release that number later. Rewards can be given can be
used to ensure minters act honestly here by minting messages that release
these numbers and not releasing their secret numbers too early.
Fun fact tho: there is an attack called the "selfish mining attack" for
proof of work, and it reduces the security of PoW by at least 1/3rd
<https://bitcoinmagazine.com/technical/selfish-mining-a-25-attack-against-the-bitcoin-network-1383578440>
.
> the problem is not as hard as you think
I don't claim to know just how hard finding the IP address associated with
a bitcoin address is. However, the DOS risk can be solved more completely
by only allowing the owner of coins themselves to know whether they can
mint a block. Eg by determining whether someone can mint a block based on
their public key hidden behind hashes (as normal in addresses). Only when
someone does in fact mint a block do they reveal their hidden public key in
order to prove they are allowed to mint the block.
> I agree that introduction of punishment itself does not imply introducing
a problem elsewhere (which I did not claim if you reread my previous
message)
I'm glad we agree there. Perhaps I misunderstood what you meant by "you
should not omit to mention that by doing so, typically, you have introduced
another problem elsewhere."
> As long as the staker makes sure (which is not that hard) that she does
not miss a chance to create a block, her significance in the system will
always increase in time. It will increase relative to all normal users who
do not stake
Well, if you're in the closed system of the cryptocurrency, sure. But we
don't live in that closed system. Minters will earn some ROI from minting
just like any other financial activity. Others may find more success
spending their time doing things other than figuring out how to mint coins.
In that case, they'll be able to earn more coin that they could later
decide to use to mint blocks if they decide to.
> Just because of the above we must reject PoS as being critically insecure
I think the only thing we can conclude from this is that you have come up
with an insecure proof of stake protocol. I don't see how anything you've
brought up amounts to substantial evidence that all possible PoS protocols
are insecure.
On Tue, May 25, 2021 at 11:10 AM befreeandopen <befreeandopen@protonmail.com>
wrote:
>
> @befreeandopen " An attacker can calculate whether or not she can prolong
> this chain or not and if so with what timestamp."
>
> The scenario you describe would only be likely to happen at all if the
> malicious actor has a very large fraction of the stake - probably quite
> close to 50%. At that point, you're talking about a 51% attack, not the
> nothing at stake problem. The nothing at stake problem is the problem where
> anyone will mint on any chain. Its clear that if there's a substantial
> punishment for minting on chains other than the one that eventually wins,
> every minter without a significant fraction of the stake will be honest and
> not attempt to mint on old blocks or support someone else's attempt to mint
> on old blocks (until and if it becomes the heaviest chain). Because the
> attacker would need probably >45% of the active stake (take a look at the reasoning
> here
> <https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack>
> for a deeper analysis of that statement), I don't agree that punishment is
> not a sufficient mitigation of the nothing at stake problem. To exploit the
> nothing at stake problem, you basically need to 51% attack, at which point
> you've exceeded the operating conditions of the system, so of course its
> gonna have problems, just like a 51% attack would cause with PoW.
>
>
> This is not at all the case. The attacker benefits using the described
> technique at any size of the stake and significantly so with just 5% of the
> stake. By significantly, I do not mean that the attacker is able to
> completely take control the network (in short term), but rather that the
> attacker has significant advantage in the number of blocks she creates
> compared to what she "should be able to create". This means the attacker's
> stake increases significantly faster than of the honest nodes, which in
> long term is very serious in PoS system. If you believe close to 50% is
> needed for that, you need to redo your math. So no, you are wrong stating
> that "to exploit nothing at stake problem you basically need to 51%
> attack". It is rather the opposite - eventually, nothing at stake attack
> leads to ability to perform 51% attack.
>
>
>
> > I am not sure if this is what you call quorum-based PoS
>
> Yes, pre-selected minters is exactly what I mean by that.
>
> > it allows the attacker to know who to attack at which point with
> powerful DDOS in order to hurt liveness of such system
>
> Just like in bitcoin, associating keys with IP addresses isn't generally
> an easy thing to do on the fly like that. If you know someone's IP address,
> you can target them. But if you only know their address or public key, the
> reverse isn't as easy. With a quorum-based PoS system, you can see their
> public key and address, but finding out their IP to DOS would be a huge
> challenge I think.
>
>
> I do not dispute that the problem is not trivial, but the problem is not
> as hard as you think. The network graph analysis is a known technique and
> it is not trivial, but not very hard either. Introducing a large number of
> nodes to the system to achieve very good success rate of analysis of area
> of origin of blocks is doable and has been done in past. So again, I very
> much disagree with your conclusion that this is somehow secure. It is
> absolutely insecure.
>
>
>
> Note, tho, that quorum-based PoS generally also have punishments as part
> of the protocol. The introduction of punishments do indeed handily solve
> the nothing at stake problem. And you didn't mention a single problem that
> the punishments introduce that weren't already there before punishments.
> There are tradeoffs with introducing punishments (eg in some cases you
> might punish honest actors), but they are minor in comparison to solving
> the nothing at stake problem.
>
>
> While I agree that introduction of punishment itself does not imply
> introducing a problem elsewhere (which I did not claim if you reread my
> previous message), it does introduce additional complexity which may
> introduce problem, but more importantly, while it slightly improves
> resistance against the nothing at stake attack, it solves absolutely
> nothing. Your claim is based on wrong claim of needed close to 50% stake,
> but that could not be farther from the truth. It is not true even in
> optimal conditions when all participants of the network stake or delegate
> their stake. These optimal conditions rarely, if ever, occur. And that's
> another thing that we have not mention in our debate, so please allow me to
> introduce another problem to PoS.
>
> Consider what is needed for such optimal conditions to occur - all coins
> are always part of the stake, which means that they need to somehow
> automatically part of the staking process even when they are moved. But in
> many PoS systems you usually require some age (in terms of confirmations)
> of the coin before you allow it to be used for participation in staking
> process and that is for a good reason - to prevent various grinding
> attacks. In some systems the coin must be specifically registered before it
> can be staked, in others, simply waiting for enough confirmations enables
> you to stake with the coin. I am not sure if there is a system which does
> not have this cooling period for a coin that has been moved. Maybe it is
> possible though, but AFAIK it is not common and not battle tested feature.
>
> Then if we admit that achieving the optimal condition is rather
> theoretical. Then if we do not have the optimal condition, it means that a
> staker with K% of the total available supply increases it's percentage over
> time to some amounts >K%. As long as the staker makes sure (which is not
> that hard) that she does not miss a chance to create a block, her
> significance in the system will always increase in time. It will increase
> relative to all normal users who do not stake (if there are any) and
> relative to all other stakers who make mistakes or who are not wealthy
> enough to afford not selling any position ever. But powerful attacker is
> exactly in such position and thus she will gain significance in such a
> system. The technique I have described, and that you mistakenly think is
> viable only with huge amounts of stake, only puts the attacker to even
> greater advantage. But even without the described attack (which exploits
> nothing at stake), the PoS system converges to a system more and more
> controlled by powerful entity, which we can assume is the attacker.
>
>
> So I don't think it is at all misleading to claim that "nothing at stake"
> is a solved problem. I do in fact mean that the solutions to that problem
> don't introduce any other problems with anywhere near the same level of
> significance.
>
>
> It still stands as truly misleading claim. I disagree that introducing
> DDOS opportunity with medium level of difficulty for the attacker to
> implement it, in case of "quorum-based PoS" is not a problem anywhere near
> the same level of significance. Such an attack vector allows you to turn
> off the network if you spend some time and money. That is hardly acceptable.
>
> Just because of the above we must reject PoS as being critically insecure
> until someone invents and demonstrates an actual way of solving these
> issues.
>
>
>
> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>
>> > > you burn them to be used at a future particular block height
>>
>> > This sounds exploitable. It seems like an attacker could simply focus
>> all their burns on a particular set of 6 blocks to double spend, minimizing
>> their cost of attack.
>>
>> could be right. the original idea was to have burns decay over time,
>> like ASIC's.
>>
>> anyway the point was not that "i had a magic formula"
>>
>> the point was that proof of burn is almost always better than proof of
>> stake - simply because the "proof" is on-chain, not sitting on a node
>> somewhere waiting to be stolen.
>>
>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com>
>> wrote:
>> >
>> > Is this the kind of proof of burn you're talking about?
>> >
>> > > if i have a choice between two chains, one longer and one shorter,
>> i can only choose one... deterministically
>> >
>> > What prevents you from attempting to mine block 553 on both chains?
>> >
>> > > miners have a very strong, long-term, investment in the stability of
>> the chain.
>> >
>> > Yes, but the same can be said of any coin, even ones that do have the
>> nothing at stake problem. This isn't sufficient tho because the chain is a
>> common good, and the tragedy of the commons holds for it.
>> >
>> > > you burn them to be used at a future particular block height
>> >
>> > This sounds exploitable. It seems like an attacker could simply focus
>> all their burns on a particular set of 6 blocks to double spend, minimizing
>> their cost of attack.
>> >
>> > > i can imagine scenarios where large stakeholders can collude to
>> punish smaller stakeholders simply to drive them out of business, for
>> example
>> >
>> > Are you talking about a 51% attack? This is possible in any
>> decentralized cryptocurrency.
>> >
>> >
>> > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>> >>
>> >> > > your burn investment is always "at stake", any redaction can
>> result in a loss-of-burn, because burns can be tied, precisely, to
>> block-heights
>> >> > I'm fuzzy on how proof of burn works.
>> >>
>> >> when you burn coins, you burn them to be used at a future particular
>> >> block height: so if i'm burning for block 553, i can only use them to
>> >> mine block 553. if i have a choice between two chains, one longer
>> >> and one shorter, i can only choose one... deterministically, for that
>> >> burn: the chain with the height 553. if we fix the "lead time" for
>> >> burned coins to be weeks or even months in advance, miners have a very
>> >> strong, long-term, investment in the stability of the chain.
>> >>
>> >> therefore there is no "nothing at stake" problem. it's
>> >> deterministic, so miners have no choice. they can *only* choose the
>> >> transactions that go into the block. they cannot choose which chain
>> >> to mine, and it's time-locked, so rollbacks and instability always
>> >> hurt miners the most.
>> >>
>> >> the "punishment" systems of PoS are "weird at best", certainly
>> >> unproven. i can imagine scenarios where large stakeholders can
>> >> collude to punish smaller stakeholders simply to drive them out of
>> >> business, for example. and then you have to put checks in place to
>> >> prevent that, and more checks for those prevention system...
>> >>
>> >> in PoB, there is no complexity. simpler systems like this are
>> >> typically more secure.
>> >>
>> >> PoB also solves problems caused by "energy dependence", which could
>> >> lead to state monopolies on mining (like the new Bitcoin Mining
>> >> Council). these consortiums, if state sanctioned, could become a
>> >> source of censorship, for example. Since PoB doesn't require you to
>> >> have a live, well-connected node, it's harder to censor & harder to
>> >> trace.
>> >>
>> >> Eliminating this weakness seems to be in the best interests of
>> >> existing stakeholders
>> >>
>> >>
>> >>
>> >>
>> >> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com>
>> wrote:
>> >> >
>> >> > > proof of burn clearly solves this, since nothing is held online
>> >> >
>> >> > Well.. the coins to be burned need to be online when they're burned.
>> But yes, only a small fraction of the total coins need to be online.
>> >> >
>> >> > > your burn investment is always "at stake", any redaction can
>> result in a loss-of-burn, because burns can be tied, precisely, to
>> block-heights
>> >> >
>> >> > So you're saying that if say someone tries to mine a block on a
>> shorter chain, that requires them to send a transaction burning their
>> coins, and that transaction could also be spent on the longest chain, which
>> means their coins are burned even if the chain they tried to mine on
>> doesn't win? I'm fuzzy on how proof of burn works.
>> >> >
>> >> > > proof of burn can be more secure than proof-of-stake
>> >> >
>> >> > FYI, proof of stake can be done without the "nothing at stake"
>> problem. You can simply punish people who mint on shorter chains (by
>> rewarding people who publish proofs of this happening on the main chain).
>> In quorum-based PoS, you can punish people in the quorum that propose or
>> sign multiple blocks for the same height. The "nothing at stake" problem is
>> a solved problem at this point for PoS.
>> >> >
>> >> >
>> >> >
>> >> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>> >> >>
>> >> >> > I don't see a way to get around the conflicting requirement that
>> the keys for large amounts of coins should be kept offline but those are
>> exactly the coins we need online to make the scheme secure.
>> >> >>
>> >> >> proof of burn clearly solves this, since nothing is held online
>> >> >>
>> >> >> > how does proof of burn solve the "nothing at stake" problem in
>> your view?
>> >> >>
>> >> >> definition of nothing at stake: in the event of a fork, whether the
>> >> >> fork is accidental or a malicious, the optimal strategy for any
>> miner
>> >> >> is to mine on every chain, so that the miner gets their reward no
>> >> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>> >> >> published on the very chains mines, so the incentive is magnified.
>> >> >>
>> >> >> in proof-of-burn, your burn investment is always "at stake", any
>> >> >> redaction can result in a loss-of-burn, because burns can be tied,
>> >> >> precisely, to block-heights
>> >> >>
>> >> >> as a result, miners no longer have an incentive to mine all chains
>> >> >>
>> >> >> in this way proof of burn can be more secure than proof-of-stake,
>> and
>> >> >> even more secure than proof of work
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> >
>> >> >>
>> >> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >> >
>> >> >> > Hi Billy,
>> >> >> >
>> >> >> > I was going to write a post which started by dismissing many of
>> the weak arguments that are made against PoS made in this thread and
>> elsewhere.
>> >> >> > Although I don't agree with all your points you have done a
>> decent job here so I'll focus on the second part: why I think
>> Proof-of-Stake is inappropriate for a Bitcoin-like system.
>> >> >> >
>> >> >> > Proof of stake is not fit for purpose for a global settlement
>> layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin
>> is trying to be.
>> >> >> > PoS necessarily gives responsibilities to the holders of coins
>> that they do not want and cannot handle.
>> >> >> > In Bitcoin, large unsophisticated coin holders can put their
>> coins in cold storage without a second thought given to the health of the
>> underlying ledger.
>> >> >> > As much as hardcore Bitcoiners try to convince them to run their
>> own node, most don't, and that's perfectly acceptable.
>> >> >> > At no point do their personal decisions affect the underlying
>> consensus -- it only affects their personal security assurance (not that of
>> the system itself).
>> >> >> > In PoS systems this clean separation of responsibilities does not
>> exist.
>> >> >> >
>> >> >> > I think that the more rigorously studied PoS protocols will work
>> fine within the security claims made in their papers.
>> >> >> > People who believe that these protocols are destined for
>> catastrophic consensus failure are certainly in for a surprise.
>> >> >> > But the devil is in the detail.
>> >> >> > Let's look at what the implications of using the leading proof of
>> stake protocols would have on Bitcoin:
>> >> >> >
>> >> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>> >> >> >
>> >> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with
>> an inbuilt on-chain delegation system[5].
>> >> >> > In these protocols, coin holders who do not want to run their
>> node with their hot keys in it delegate it to a "Stake Pool".
>> >> >> > I call the resulting system Proof-of-SquareSpace since most will
>> choose a pool by looking around for one with a nice website and offering
>> the largest share of the block reward.
>> >> >> > On the surface this might sound no different than someone with an
>> mining rig shopping around for a good mining pool but there are crucial
>> differences:
>> >> >> >
>> >> >> > 1. The person making the decision is forced into it just because
>> they own the currency -- someone with a mining rig has purchased it with
>> the intent to make profit by participating in consensus.
>> >> >> >
>> >> >> > 2. When you join a mining pool your systems are very much still
>> online. You are just partaking in a pool to reduce your profit variance.
>> You still see every block that you help create and *you never help create a
>> block without seeing it first*.
>> >> >> >
>> >> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority
>> and start censoring transactions how are the users meant to redelegate
>> their stake to honest pools?
>> >> >> > I guess they can just send a transaction delegating to another
>> pool...oh wait I guess that might be censored too! This seems really really
>> bad.
>> >> >> > In Bitcoin, miners can just join a different pool at a whim.
>> There is nothing the attacker can do to stop them. A temporary dishonest
>> majority heals relatively well.
>> >> >> >
>> >> >> > There is another severe disadvantage to this on-chain delegation
>> system: every UTXO must indicate which staking account this UTXO belongs to
>> so the appropriate share of block rewards can be transferred there.
>> >> >> > Being able to associate every UTXO to an account ruins one of the
>> main privacy advantages of the UTXO model.
>> >> >> > It also grows the size of the blockchain significantly.
>> >> >> >
>> >> >> > ### "Pure" proof of stake (Algorand)
>> >> >> >
>> >> >> > Algorand's[4] approach is to only allow online stake to
>> participate in the protocol.
>> >> >> > Theoretically, This means that keys holding funds have to be
>> online in order for them to author blocks when they are chosen.
>> >> >> > Of course in reality no one wants to keep their coin holding keys
>> online so in Alogorand you can authorize a set of "participation keys"[1]
>> that will be used to create blocks on your coin holding key's behalf.
>> >> >> > Hopefully you've spotted the problem.
>> >> >> > You can send your participation keys to any malicious party with
>> a nice website (see random example [2]) offering you a good return.
>> >> >> > Damn it's still Proof-of-SquareSpace!
>> >> >> > The minor advantage is that at least the participation keys
>> expire after a certain amount of time so eventually the SquareSpace
>> attacker will lose their hold on consensus.
>> >> >> > Importantly there is also less junk on the blockchain because the
>> participation keys are delegated off-chain and so are not making as much of
>> a mess.
>> >> >> >
>> >> >> > ### Conclusion
>> >> >> >
>> >> >> > I don't see a way to get around the conflicting requirement that
>> the keys for large amounts of coins should be kept offline but those are
>> exactly the coins we need online to make the scheme secure.
>> >> >> > If we allow delegation then we open up a new social attack
>> surface and it degenerates to Proof-of-SquareSpace.
>> >> >> >
>> >> >> > For a "digital gold" like system like Bitcoin we optimize for
>> simplicity and desperately want to avoid extraneous responsibilities for
>> the holder of the coin.
>> >> >> > After all, gold is an inert element on the periodic table that
>> doesn't confer responsibilities on the holder to maintain the quality of
>> all the other bars of gold out there.
>> >> >> > Bitcoin feels like this too and in many ways is more inert and
>> beautifully boring than gold.
>> >> >> > For Bitcoin to succeed I think we need to keep it that way and
>> Proof-of-Stake makes everything a bit too exciting.
>> >> >> >
>> >> >> > I suppose in the end the market will decide what is real digital
>> gold and whether these bad technical trade offs are worth being able to say
>> it uses less electricity. It goes without saying that making bad technical
>> decisions to appease the current political climate is an anathema to
>> Bitcoin.
>> >> >> >
>> >> >> > Would be interested to know if you or others think differently on
>> these points.
>> >> >> >
>> >> >> > [1]:
>> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>> >> >> > [2]: https://staking.staked.us/algorand-staking
>> >> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>> >> >> > [4]:
>> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>> >> >> > [5]:
>> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>> >> >> >
>> >> >> > Cheers,
>> >> >> >
>> >> >> > LL
>> >> >> >
>> >> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >> >>
>> >> >> >> I think there is a lot of misinformation and bias against Proof
>> of Stake. Yes there have been lots of shady coins that use insecure PoS
>> mechanisms. Yes there have been massive issues with distribution of PoS
>> coins (of course there have also been massive issues with PoW coins as
>> well). However, I want to remind everyone that there is a difference
>> between "proved to be impossible" and "have not achieved recognized success
>> yet". Most of the arguments levied against PoS are out of date or rely on
>> unproven assumptions or extrapolation from the analysis of a particular PoS
>> system. I certainly don't think we should experiment with bitcoin by
>> switching to PoS, but from my research, it seems very likely that there is
>> a proof of stake consensus protocol we could build that has substantially
>> higher security (cost / capital required to execute an attack) while at the
>> same time costing far less resources (which do translate to fees on the
>> network) *without* compromising any of the critical security properties
>> bitcoin relies on. I think the critical piece of this is the disagreements
>> around hardcoded checkpoints, which is a critical piece solving attacks
>> that could be levied on a PoS chain, and how that does (or doesn't) affect
>> the security model.
>> >> >> >>
>> >> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is
>> worse when a 51% attack happens. While I agree, I think that line of
>> thinking omits important facts:
>> >> >> >> * The capital required to 51% attack a PoS chain can be made
>> substantially greater than on a PoS chain.
>> >> >> >> * The capital the attacker stands to lose can be substantially
>> greater as well if the attack is successful.
>> >> >> >> * The effectiveness of paying miners to raise the honest
>> fraction of miners above 50% may be quite bad.
>> >> >> >> * Allowing a 51% attack is already unacceptable. It should be
>> considered whether what happens in the case of a 51% may not be
>> significantly different. The currency would likely be critically damaged in
>> a 51% attack regardless of consensus mechanism.
>> >> >> >>
>> >> >> >> > Proof-of-stake tends towards oligopolistic control
>> >> >> >>
>> >> >> >> People repeat this often, but the facts support this. There is
>> no centralization pressure in any proof of stake mechanism that I'm aware
>> of. IE if you have 10 times as much coin that you use to mint blocks, you
>> should expect to earn 10x as much minting revenue - not more than 10x. By
>> contrast, proof of work does in fact have clear centralization pressure -
>> this is not disputed. Our goal in relation to that is to ensure that the
>> centralization pressure remains insignifiant. Proof of work also clearly
>> has a lot more barriers to entry than any proof of stake system does. Both
>> of these mean the tendency towards oligopolistic control is worse for PoW.
>> >> >> >>
>> >> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>> >> >> >>
>> >> >> >> I certainly agree. Bitcoin's energy usage at the moment is I
>> think quite warranted. However, the question is: can we do substantially
>> better. I think if we can, we probably should... eventually.
>> >> >> >>
>> >> >> >> > Proof of Stake is only resilient to ⅓ of the network
>> demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to
>> the ½ threshold
>> >> >> >>
>> >> >> >> I see no mention of this in the pos.pdf you linked to. I'm not
>> aware of any proof that all PoS systems have a failure threshold of 1/3. I
>> know that staking systems like Casper do in fact have that 1/3 requirement.
>> However there are PoS designs that should exceed that up to nearly 50% as
>> far as I'm aware. Proof of work is not in fact resilient up to the 1/2
>> threshold in the way you would think. IE, if 100% of miners are currently
>> honest and have a collective 100 exahashes/s hashpower, an attacker does
>> not need to obtain 100 exahashes/s, but actually only needs to accumulate
>> 50 exahashes/s. This is because as the attacker accumulates hashpower, it
>> drives honest miners out of the market as the difficulty increases to
>> beyond what is economically sustainable. Also, its been shown that the best
>> proof of work can do is require an attacker to obtain 33% of the hashpower
>> because of the selfish mining attack discussed in depth in this paper:
>> https://arxiv.org/abs/1311.0243. Together, both of these things reduce
>> PoW's security by a factor of about 83% (1 - 50%*33%).
>> >> >> >>
>> >> >> >> > Proof of Stake requires other trade-offs which are
>> incompatible with Bitcoin's objective (to be a trustless digital cash) —
>> specifically the famous "security vs. liveness" guarantee
>> >> >> >>
>> >> >> >> Do you have a good source that talks about why you think proof
>> of stake cannot be used for a trustless digital cash?
>> >> >> >>
>> >> >> >> > You cannot gain tokens without someone choosing to give up
>> those coins - a form of permission.
>> >> >> >>
>> >> >> >> This is not a practical constraint. Just like in mining, some
>> nodes may reject you, but there will likely be more that will accept you,
>> some sellers may reject you, but most would accept your money as payment
>> for bitcoins. I don't think requiring the "permission" of one of millions
>> of people in the market can be reasonably considered a "permissioned
>> currency".
>> >> >> >>
>> >> >> >> > 2. Proof of stake must have a trusted means of timestamping to
>> regulate overproduction of blocks
>> >> >> >>
>> >> >> >> Both PoW and PoS could mine/mint blocks twice as fast if
>> everyone agreed to double their clock speeds. Both systems rely on an
>> honest majority sticking to standard time.
>> >> >> >>
>> >> >> >>
>> >> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via
>> bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >> >>>
>> >> >> >>> Ah sorry, I didn't realize this was, in fact, a different
>> thread! :)
>> >> >> >>>
>> >> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <
>> mike@powx.org> wrote:
>> >> >> >>>>
>> >> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the
>> BIP itself. PoS, VDFs, and so on are interesting but I guess there are
>> other threads going on these topics already where they would be relevant.
>> >> >> >>>>
>> >> >> >>>> Also, it's important to distinguish between oPoW and these
>> other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't
>> alter the core game theory or security assumptions of Hashcash and actually
>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>> >> >> >>>>
>> >> >> >>>> Cheers,
>> >> >> >>>> Mike
>> >> >> >>>>
>> >> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >> >> >>>>>
>> >> >> >>>>> 1. i never suggested vdf's to replace pow.
>> >> >> >>>>>
>> >> >> >>>>> 2. my suggestion was specifically *in the context of* a
>> working
>> >> >> >>>>> proof-of-burn protocol
>> >> >> >>>>>
>> >> >> >>>>> - vdfs used only for timing (not block height)
>> >> >> >>>>> - blind-burned coins of a specific age used to replace proof
>> of work
>> >> >> >>>>> - the required "work" per block would simply be a competition
>> to
>> >> >> >>>>> acquire rewards, and so miners would have to burn coins, well
>> in
>> >> >> >>>>> advance, and hope that their burned coins got rewarded in
>> some far
>> >> >> >>>>> future
>> >> >> >>>>> - the point of burned coins is to mimic, in every meaningful
>> way, the
>> >> >> >>>>> value gained from proof of work... without some of the
>> security
>> >> >> >>>>> drawbacks
>> >> >> >>>>> - the miner risks losing all of his burned coins (like all
>> miners risk
>> >> >> >>>>> losing their work in each block)
>> >> >> >>>>> - new burns can't be used
>> >> >> >>>>> - old burns age out (like ASICs do)
>> >> >> >>>>> - other requirements on burns might be needed to properly
>> mirror the
>> >> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine
>> honestly.
>> >> >> >>>>>
>> >> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf
>> system"
>> >> >> >>>>> might be more secure in the long run, and that if the entire
>> space
>> >> >> >>>>> agreed that such an endeavor was worthwhile, a test net could
>> be spun
>> >> >> >>>>> up, and a hard-fork could be initiated.
>> >> >> >>>>>
>> >> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>> >> >> >>>>> possible that consensus was possible. so no, this is not an
>> "alt
>> >> >> >>>>> coin"
>> >> >> >>>>>
>> >> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <
>> zachgrw@gmail.com> wrote:
>> >> >> >>>>> >
>> >> >> >>>>> > Hi ZmnSCPxj,
>> >> >> >>>>> >
>> >> >> >>>>> > Please note that I am not suggesting VDFs as a means to
>> save energy, but solely as a means to make the time between blocks more
>> constant.
>> >> >> >>>>> >
>> >> >> >>>>> > Zac
>> >> >> >>>>> >
>> >> >> >>>>> >
>> >> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <
>> ZmnSCPxj@protonmail.com> wrote:
>> >> >> >>>>> >>
>> >> >> >>>>> >> Good morning Zac,
>> >> >> >>>>> >>
>> >> >> >>>>> >> > VDFs might enable more constant block times, for
>> instance by having a two-step PoW:
>> >> >> >>>>> >> >
>> >> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF
>> being subject to difficulty adjustments similar to the as-is). As per the
>> property of VDFs, miners are able show proof of work.
>> >> >> >>>>> >> >
>> >> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so
>> finding a block takes 1 minute on average, again subject to as-is
>> difficulty adjustments.
>> >> >> >>>>> >> >
>> >> >> >>>>> >> > As a result, variation in block times will be greatly
>> reduced.
>> >> >> >>>>> >>
>> >> >> >>>>> >> As I understand it, another weakness of VDFs is that they
>> are not inherently progress-free (their sequential nature prevents that;
>> they are inherently progress-requiring).
>> >> >> >>>>> >>
>> >> >> >>>>> >> Thus, a miner which focuses on improving the amount of
>> energy that it can pump into the VDF circuitry (by overclocking and
>> freezing the circuitry), could potentially get into a winner-takes-all
>> situation, possibly leading to even *worse* competition and even *more*
>> energy consumption.
>> >> >> >>>>> >> After all, if you can start mining 0.1s faster than the
>> competition, that is a 0.1s advantage where *only you* can mine *in the
>> entire world*.
>> >> >> >>>>> >>
>> >> >> >>>>> >> Regards,
>> >> >> >>>>> >> ZmnSCPxj
>> >> >> >>>>> _______________________________________________
>> >> >> >>>>> bitcoin-dev mailing list
>> >> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>> >> >> >>>>>
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>>
>> >> >> >>>> --
>> >> >> >>>> Michael Dubrovsky
>> >> >> >>>> Founder; PoWx
>> >> >> >>>> www.PoWx.org
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>> Michael Dubrovsky
>> >> >> >>> Founder; PoWx
>> >> >> >>> www.PoWx.org
>> >> >> >>> _______________________________________________
>> >> >> >>> bitcoin-dev mailing list
>> >> >> >>> bitcoin-dev@lists.linuxfoundation.org
>> >> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> bitcoin-dev mailing list
>> >> >> >> bitcoin-dev@lists.linuxfoundation.org
>> >> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > bitcoin-dev mailing list
>> >> >> > bitcoin-dev@lists.linuxfoundation.org
>> >> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
[-- Attachment #2: Type: text/html, Size: 49965 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-26 6:53 ` Billy Tetrud
@ 2021-05-26 13:11 ` befreeandopen
2021-05-26 22:07 ` Erik Aronesty
2021-05-27 10:08 ` Billy Tetrud
0 siblings, 2 replies; 67+ messages in thread
From: befreeandopen @ 2021-05-26 13:11 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 42046 bytes --]
> @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
>
> 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> 2. They receive a new block minted by someone else.
> 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> 4. Profit!
>
> The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by [at least 1/3rd](https://bitcoinmagazine.com/technical/selfish-mining-a-25-attack-against-the-bitcoin-network-1383578440).
How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
>> the problem is not as hard as you think
>
> I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
>> I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
>
> I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
Perhaps you should quote the full sentence and not just a part of it:
"Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
In case of the punishment it was meant to be the not solve it completely part.
Also "typically" does not imply always.
But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
>> As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
>
> Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
>> Just because of the above we must reject PoS as being critically insecure
>
> I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> On Tue, May 25, 2021 at 11:10 AM befreeandopen <befreeandopen@protonmail.com> wrote:
>
>>> @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
>>>
>>> The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the [reasoning here](https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack) for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
>>
>> This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
>>
>>>> I am not sure if this is what you call quorum-based PoS
>>>
>>> Yes, pre-selected minters is exactly what I mean by that.
>>>
>>>> it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
>>>
>>> Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
>>
>> I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
>>
>>> Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
>>
>> While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
>>
>> Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
>>
>> Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
>>
>>> So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
>>
>> It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
>>
>> Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
>>
>>> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>>>
>>>>> > you burn them to be used at a future particular block height
>>>>
>>>>> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>>
>>>> could be right. the original idea was to have burns decay over time,
>>>> like ASIC's.
>>>>
>>>> anyway the point was not that "i had a magic formula"
>>>>
>>>> the point was that proof of burn is almost always better than proof of
>>>> stake - simply because the "proof" is on-chain, not sitting on a node
>>>> somewhere waiting to be stolen.
>>>>
>>>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>>>
>>>>> Is this the kind of proof of burn you're talking about?
>>>>>
>>>>> > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
>>>>>
>>>>> What prevents you from attempting to mine block 553 on both chains?
>>>>>
>>>>> > miners have a very strong, long-term, investment in the stability of the chain.
>>>>>
>>>>> Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
>>>>>
>>>>> > you burn them to be used at a future particular block height
>>>>>
>>>>> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>>>
>>>>> > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
>>>>>
>>>>> Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
>>>>>
>>>>>
>>>>> On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>>>>>
>>>>>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>>>> > I'm fuzzy on how proof of burn works.
>>>>>>
>>>>>> when you burn coins, you burn them to be used at a future particular
>>>>>> block height: so if i'm burning for block 553, i can only use them to
>>>>>> mine block 553. if i have a choice between two chains, one longer
>>>>>> and one shorter, i can only choose one... deterministically, for that
>>>>>> burn: the chain with the height 553. if we fix the "lead time" for
>>>>>> burned coins to be weeks or even months in advance, miners have a very
>>>>>> strong, long-term, investment in the stability of the chain.
>>>>>>
>>>>>> therefore there is no "nothing at stake" problem. it's
>>>>>> deterministic, so miners have no choice. they can *only* choose the
>>>>>> transactions that go into the block. they cannot choose which chain
>>>>>> to mine, and it's time-locked, so rollbacks and instability always
>>>>>> hurt miners the most.
>>>>>>
>>>>>> the "punishment" systems of PoS are "weird at best", certainly
>>>>>> unproven. i can imagine scenarios where large stakeholders can
>>>>>> collude to punish smaller stakeholders simply to drive them out of
>>>>>> business, for example. and then you have to put checks in place to
>>>>>> prevent that, and more checks for those prevention system...
>>>>>>
>>>>>> in PoB, there is no complexity. simpler systems like this are
>>>>>> typically more secure.
>>>>>>
>>>>>> PoB also solves problems caused by "energy dependence", which could
>>>>>> lead to state monopolies on mining (like the new Bitcoin Mining
>>>>>> Council). these consortiums, if state sanctioned, could become a
>>>>>> source of censorship, for example. Since PoB doesn't require you to
>>>>>> have a live, well-connected node, it's harder to censor & harder to
>>>>>> trace.
>>>>>>
>>>>>> Eliminating this weakness seems to be in the best interests of
>>>>>> existing stakeholders
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>>>> >
>>>>>> > > proof of burn clearly solves this, since nothing is held online
>>>>>> >
>>>>>> > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>>>>>> >
>>>>>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>>>> >
>>>>>> > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>>>>>> >
>>>>>> > > proof of burn can be more secure than proof-of-stake
>>>>>> >
>>>>>> > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>>>>> >>
>>>>>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>>>> >>
>>>>>> >> proof of burn clearly solves this, since nothing is held online
>>>>>> >>
>>>>>> >> > how does proof of burn solve the "nothing at stake" problem in your view?
>>>>>> >>
>>>>>> >> definition of nothing at stake: in the event of a fork, whether the
>>>>>> >> fork is accidental or a malicious, the optimal strategy for any miner
>>>>>> >> is to mine on every chain, so that the miner gets their reward no
>>>>>> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>>>>>> >> published on the very chains mines, so the incentive is magnified.
>>>>>> >>
>>>>>> >> in proof-of-burn, your burn investment is always "at stake", any
>>>>>> >> redaction can result in a loss-of-burn, because burns can be tied,
>>>>>> >> precisely, to block-heights
>>>>>> >>
>>>>>> >> as a result, miners no longer have an incentive to mine all chains
>>>>>> >>
>>>>>> >> in this way proof of burn can be more secure than proof-of-stake, and
>>>>>> >> even more secure than proof of work
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> >
>>>>>> >>
>>>>>> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>>>>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>> >> >
>>>>>> >> > Hi Billy,
>>>>>> >> >
>>>>>> >> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>>>>>> >> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>>>>> >> >
>>>>>> >> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>>>>>> >> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>>>>>> >> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>>>>>> >> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>>>>>> >> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>>>>>> >> > In PoS systems this clean separation of responsibilities does not exist.
>>>>>> >> >
>>>>>> >> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>>>>>> >> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>>>>>> >> > But the devil is in the detail.
>>>>>> >> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>>>>>> >> >
>>>>>> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>>>>>> >> >
>>>>>> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>>>>>> >> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>>>>>> >> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>>>>>> >> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>>>>>> >> >
>>>>>> >> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>>>>>> >> >
>>>>>> >> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>>>>>> >> >
>>>>>> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>>>>>> >> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>>>>>> >> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>>>>>> >> >
>>>>>> >> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>>>>>> >> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>>>>>> >> > It also grows the size of the blockchain significantly.
>>>>>> >> >
>>>>>> >> > ### "Pure" proof of stake (Algorand)
>>>>>> >> >
>>>>>> >> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>>>>>> >> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>>>>>> >> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>>>>>> >> > Hopefully you've spotted the problem.
>>>>>> >> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>>>>>> >> > Damn it's still Proof-of-SquareSpace!
>>>>>> >> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>>>>>> >> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>>>>>> >> >
>>>>>> >> > ### Conclusion
>>>>>> >> >
>>>>>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>>>> >> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>>>>>> >> >
>>>>>> >> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>>>>>> >> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>>>>>> >> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>>>>>> >> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>>>>>> >> >
>>>>>> >> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>>>>>> >> >
>>>>>> >> > Would be interested to know if you or others think differently on these points.
>>>>>> >> >
>>>>>> >> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>>>>> >> > [2]: https://staking.staked.us/algorand-staking
>>>>>> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>>>>>> >> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>>>>> >> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>>>>> >> >
>>>>>> >> > Cheers,
>>>>>> >> >
>>>>>> >> > LL
>>>>>> >> >
>>>>>> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>> >> >>
>>>>>> >> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>>>>> >> >>
>>>>>> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>>>>>> >> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>>>>>> >> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>>>>>> >> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>>>>>> >> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>>>>> >> >>
>>>>>> >> >> > Proof-of-stake tends towards oligopolistic control
>>>>>> >> >>
>>>>>> >> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>>>>> >> >>
>>>>>> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>>>>> >> >>
>>>>>> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>>>>> >> >>
>>>>>> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>>>>> >> >>
>>>>>> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>>>>> >> >>
>>>>>> >> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>>>>> >> >>
>>>>>> >> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>>>>> >> >>
>>>>>> >> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>>>>> >> >>
>>>>>> >> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>>>>> >> >>
>>>>>> >> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>>>>> >> >>
>>>>>> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>>>>> >> >>
>>>>>> >> >>
>>>>>> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>> >> >>>
>>>>>> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>>>> >> >>>
>>>>>> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>>>> >> >>>>
>>>>>> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>>>> >> >>>>
>>>>>> >> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>>>> >> >>>>
>>>>>> >> >>>> Cheers,
>>>>>> >> >>>> Mike
>>>>>> >> >>>>
>>>>>> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>> >> >>>>>
>>>>>> >> >>>>> 1. i never suggested vdf's to replace pow.
>>>>>> >> >>>>>
>>>>>> >> >>>>> 2. my suggestion was specifically *in the context of* a working
>>>>>> >> >>>>> proof-of-burn protocol
>>>>>> >> >>>>>
>>>>>> >> >>>>> - vdfs used only for timing (not block height)
>>>>>> >> >>>>> - blind-burned coins of a specific age used to replace proof of work
>>>>>> >> >>>>> - the required "work" per block would simply be a competition to
>>>>>> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
>>>>>> >> >>>>> advance, and hope that their burned coins got rewarded in some far
>>>>>> >> >>>>> future
>>>>>> >> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>>>> >> >>>>> value gained from proof of work... without some of the security
>>>>>> >> >>>>> drawbacks
>>>>>> >> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>>>> >> >>>>> losing their work in each block)
>>>>>> >> >>>>> - new burns can't be used
>>>>>> >> >>>>> - old burns age out (like ASICs do)
>>>>>> >> >>>>> - other requirements on burns might be needed to properly mirror the
>>>>>> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>>> >> >>>>>
>>>>>> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>>>> >> >>>>> might be more secure in the long run, and that if the entire space
>>>>>> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>>>> >> >>>>> up, and a hard-fork could be initiated.
>>>>>> >> >>>>>
>>>>>> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>>>>>> >> >>>>> possible that consensus was possible. so no, this is not an "alt
>>>>>> >> >>>>> coin"
>>>>>> >> >>>>>
>>>>>> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>>>> >> >>>>> >
>>>>>> >> >>>>> > Hi ZmnSCPxj,
>>>>>> >> >>>>> >
>>>>>> >> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>>>> >> >>>>> >
>>>>>> >> >>>>> > Zac
>>>>>> >> >>>>> >
>>>>>> >> >>>>> >
>>>>>> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>>>> >> >>>>> >>
>>>>>> >> >>>>> >> Good morning Zac,
>>>>>> >> >>>>> >>
>>>>>> >> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>>>> >> >>>>> >> >
>>>>>> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>>>> >> >>>>> >> >
>>>>>> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>>>> >> >>>>> >> >
>>>>>> >> >>>>> >> > As a result, variation in block times will be greatly reduced.
>>>>>> >> >>>>> >>
>>>>>> >> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>>>> >> >>>>> >>
>>>>>> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>>>> >> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>>>> >> >>>>> >>
>>>>>> >> >>>>> >> Regards,
>>>>>> >> >>>>> >> ZmnSCPxj
>>>>>> >> >>>>> _______________________________________________
>>>>>> >> >>>>> bitcoin-dev mailing list
>>>>>> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>>> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>> >> >>>>
>>>>>> >> >>>>
>>>>>> >> >>>>
>>>>>> >> >>>> --
>>>>>> >> >>>> Michael Dubrovsky
>>>>>> >> >>>> Founder; PoWx
>>>>>> >> >>>> www.PoWx.org
>>>>>> >> >>>
>>>>>> >> >>>
>>>>>> >> >>>
>>>>>> >> >>> --
>>>>>> >> >>> Michael Dubrovsky
>>>>>> >> >>> Founder; PoWx
>>>>>> >> >>> www.PoWx.org
>>>>>> >> >>> _______________________________________________
>>>>>> >> >>> bitcoin-dev mailing list
>>>>>> >> >>> bitcoin-dev@lists.linuxfoundation.org
>>>>>> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>> >> >>
>>>>>> >> >> _______________________________________________
>>>>>> >> >> bitcoin-dev mailing list
>>>>>> >> >> bitcoin-dev@lists.linuxfoundation.org
>>>>>> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>> >> >
>>>>>> >> > _______________________________________________
>>>>>> >> > bitcoin-dev mailing list
>>>>>> >> > bitcoin-dev@lists.linuxfoundation.org
>>>>>> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 56158 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-26 13:11 ` befreeandopen
@ 2021-05-26 22:07 ` Erik Aronesty
2021-05-28 14:40 ` befreeandopen
2021-05-27 10:08 ` Billy Tetrud
1 sibling, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-05-26 22:07 UTC (permalink / raw)
To: befreeandopen; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
note: the "nothing at stake" problem you propose is not broken for
proof-of-burn, because the attacker
a) has no idea which past transactions are burns
b) has no way to use his mining power, even 5%, to maliciously improve
his odds of being selected
On Wed, May 26, 2021 at 9:12 AM befreeandopen
<befreeandopen@protonmail.com> wrote:
>
>
>
> @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
>
> 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> 2. They receive a new block minted by someone else.
> 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> 4. Profit!
>
> The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
>
>
> Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
>
> I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
>
> What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
>
>
>
> Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
>
>
> How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
>
>
>
> > the problem is not as hard as you think
>
> I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
>
>
> This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
>
>
>
>
> > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
>
> I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
>
>
> Perhaps you should quote the full sentence and not just a part of it:
>
> "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
>
> You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> In case of the punishment it was meant to be the not solve it completely part.
> Also "typically" does not imply always.
> But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
>
>
>
> > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
>
> Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
>
>
> This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
>
>
>
>
> > Just because of the above we must reject PoS as being critically insecure
>
> I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
>
>
> I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
>
> Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
>
>
>
>
>
> On Tue, May 25, 2021 at 11:10 AM befreeandopen <befreeandopen@protonmail.com> wrote:
>>
>>
>> @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
>>
>> The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
>>
>>
>> This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
>>
>>
>>
>> > I am not sure if this is what you call quorum-based PoS
>>
>> Yes, pre-selected minters is exactly what I mean by that.
>>
>> > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
>>
>> Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
>>
>>
>> I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
>>
>>
>>
>> Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
>>
>>
>> While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
>>
>> Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
>>
>> Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
>>
>>
>> So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
>>
>>
>> It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
>>
>> Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
>>
>>
>>
>> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>>>
>>> > > you burn them to be used at a future particular block height
>>>
>>> > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>
>>> could be right. the original idea was to have burns decay over time,
>>> like ASIC's.
>>>
>>> anyway the point was not that "i had a magic formula"
>>>
>>> the point was that proof of burn is almost always better than proof of
>>> stake - simply because the "proof" is on-chain, not sitting on a node
>>> somewhere waiting to be stolen.
>>>
>>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>> >
>>> > Is this the kind of proof of burn you're talking about?
>>> >
>>> > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
>>> >
>>> > What prevents you from attempting to mine block 553 on both chains?
>>> >
>>> > > miners have a very strong, long-term, investment in the stability of the chain.
>>> >
>>> > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
>>> >
>>> > > you burn them to be used at a future particular block height
>>> >
>>> > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>> >
>>> > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
>>> >
>>> > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
>>> >
>>> >
>>> > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>> >>
>>> >> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>> >> > I'm fuzzy on how proof of burn works.
>>> >>
>>> >> when you burn coins, you burn them to be used at a future particular
>>> >> block height: so if i'm burning for block 553, i can only use them to
>>> >> mine block 553. if i have a choice between two chains, one longer
>>> >> and one shorter, i can only choose one... deterministically, for that
>>> >> burn: the chain with the height 553. if we fix the "lead time" for
>>> >> burned coins to be weeks or even months in advance, miners have a very
>>> >> strong, long-term, investment in the stability of the chain.
>>> >>
>>> >> therefore there is no "nothing at stake" problem. it's
>>> >> deterministic, so miners have no choice. they can *only* choose the
>>> >> transactions that go into the block. they cannot choose which chain
>>> >> to mine, and it's time-locked, so rollbacks and instability always
>>> >> hurt miners the most.
>>> >>
>>> >> the "punishment" systems of PoS are "weird at best", certainly
>>> >> unproven. i can imagine scenarios where large stakeholders can
>>> >> collude to punish smaller stakeholders simply to drive them out of
>>> >> business, for example. and then you have to put checks in place to
>>> >> prevent that, and more checks for those prevention system...
>>> >>
>>> >> in PoB, there is no complexity. simpler systems like this are
>>> >> typically more secure.
>>> >>
>>> >> PoB also solves problems caused by "energy dependence", which could
>>> >> lead to state monopolies on mining (like the new Bitcoin Mining
>>> >> Council). these consortiums, if state sanctioned, could become a
>>> >> source of censorship, for example. Since PoB doesn't require you to
>>> >> have a live, well-connected node, it's harder to censor & harder to
>>> >> trace.
>>> >>
>>> >> Eliminating this weakness seems to be in the best interests of
>>> >> existing stakeholders
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>> >> >
>>> >> > > proof of burn clearly solves this, since nothing is held online
>>> >> >
>>> >> > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>>> >> >
>>> >> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>> >> >
>>> >> > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>>> >> >
>>> >> > > proof of burn can be more secure than proof-of-stake
>>> >> >
>>> >> > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>>> >> >
>>> >> >
>>> >> >
>>> >> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>> >> >>
>>> >> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>> >> >>
>>> >> >> proof of burn clearly solves this, since nothing is held online
>>> >> >>
>>> >> >> > how does proof of burn solve the "nothing at stake" problem in your view?
>>> >> >>
>>> >> >> definition of nothing at stake: in the event of a fork, whether the
>>> >> >> fork is accidental or a malicious, the optimal strategy for any miner
>>> >> >> is to mine on every chain, so that the miner gets their reward no
>>> >> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>>> >> >> published on the very chains mines, so the incentive is magnified.
>>> >> >>
>>> >> >> in proof-of-burn, your burn investment is always "at stake", any
>>> >> >> redaction can result in a loss-of-burn, because burns can be tied,
>>> >> >> precisely, to block-heights
>>> >> >>
>>> >> >> as a result, miners no longer have an incentive to mine all chains
>>> >> >>
>>> >> >> in this way proof of burn can be more secure than proof-of-stake, and
>>> >> >> even more secure than proof of work
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> >
>>> >> >>
>>> >> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >
>>> >> >> > Hi Billy,
>>> >> >> >
>>> >> >> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>>> >> >> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>> >> >> >
>>> >> >> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>>> >> >> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>>> >> >> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>>> >> >> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>>> >> >> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>>> >> >> > In PoS systems this clean separation of responsibilities does not exist.
>>> >> >> >
>>> >> >> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>>> >> >> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>>> >> >> > But the devil is in the detail.
>>> >> >> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>>> >> >> >
>>> >> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>>> >> >> >
>>> >> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>>> >> >> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>>> >> >> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>>> >> >> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>>> >> >> >
>>> >> >> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>>> >> >> >
>>> >> >> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>>> >> >> >
>>> >> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>>> >> >> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>>> >> >> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>>> >> >> >
>>> >> >> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>>> >> >> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>>> >> >> > It also grows the size of the blockchain significantly.
>>> >> >> >
>>> >> >> > ### "Pure" proof of stake (Algorand)
>>> >> >> >
>>> >> >> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>>> >> >> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>>> >> >> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>>> >> >> > Hopefully you've spotted the problem.
>>> >> >> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>>> >> >> > Damn it's still Proof-of-SquareSpace!
>>> >> >> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>>> >> >> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>>> >> >> >
>>> >> >> > ### Conclusion
>>> >> >> >
>>> >> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>> >> >> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>>> >> >> >
>>> >> >> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>>> >> >> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>>> >> >> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>>> >> >> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>>> >> >> >
>>> >> >> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>>> >> >> >
>>> >> >> > Would be interested to know if you or others think differently on these points.
>>> >> >> >
>>> >> >> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>> >> >> > [2]: https://staking.staked.us/algorand-staking
>>> >> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>>> >> >> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>> >> >> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>> >> >> >
>>> >> >> > Cheers,
>>> >> >> >
>>> >> >> > LL
>>> >> >> >
>>> >> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >>
>>> >> >> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>> >> >> >>
>>> >> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>>> >> >> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>>> >> >> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>>> >> >> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>>> >> >> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>> >> >> >>
>>> >> >> >> > Proof-of-stake tends towards oligopolistic control
>>> >> >> >>
>>> >> >> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>> >> >> >>
>>> >> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>> >> >> >>
>>> >> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>> >> >> >>
>>> >> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>> >> >> >>
>>> >> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>> >> >> >>
>>> >> >> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>> >> >> >>
>>> >> >> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>> >> >> >>
>>> >> >> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>> >> >> >>
>>> >> >> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>> >> >> >>
>>> >> >> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>> >> >> >>
>>> >> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >>>
>>> >> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>> >> >> >>>
>>> >> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>> >> >> >>>>
>>> >> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>> >> >> >>>>
>>> >> >> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>> >> >> >>>>
>>> >> >> >>>> Cheers,
>>> >> >> >>>> Mike
>>> >> >> >>>>
>>> >> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >>>>>
>>> >> >> >>>>> 1. i never suggested vdf's to replace pow.
>>> >> >> >>>>>
>>> >> >> >>>>> 2. my suggestion was specifically *in the context of* a working
>>> >> >> >>>>> proof-of-burn protocol
>>> >> >> >>>>>
>>> >> >> >>>>> - vdfs used only for timing (not block height)
>>> >> >> >>>>> - blind-burned coins of a specific age used to replace proof of work
>>> >> >> >>>>> - the required "work" per block would simply be a competition to
>>> >> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
>>> >> >> >>>>> advance, and hope that their burned coins got rewarded in some far
>>> >> >> >>>>> future
>>> >> >> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>> >> >> >>>>> value gained from proof of work... without some of the security
>>> >> >> >>>>> drawbacks
>>> >> >> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>>> >> >> >>>>> losing their work in each block)
>>> >> >> >>>>> - new burns can't be used
>>> >> >> >>>>> - old burns age out (like ASICs do)
>>> >> >> >>>>> - other requirements on burns might be needed to properly mirror the
>>> >> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>> >> >> >>>>>
>>> >> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>> >> >> >>>>> might be more secure in the long run, and that if the entire space
>>> >> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>> >> >> >>>>> up, and a hard-fork could be initiated.
>>> >> >> >>>>>
>>> >> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>>> >> >> >>>>> possible that consensus was possible. so no, this is not an "alt
>>> >> >> >>>>> coin"
>>> >> >> >>>>>
>>> >> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>> >> >> >>>>> >
>>> >> >> >>>>> > Hi ZmnSCPxj,
>>> >> >> >>>>> >
>>> >> >> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>> >> >> >>>>> >
>>> >> >> >>>>> > Zac
>>> >> >> >>>>> >
>>> >> >> >>>>> >
>>> >> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> Good morning Zac,
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>> >> >> >>>>> >> >
>>> >> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>> >> >> >>>>> >> >
>>> >> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>> >> >> >>>>> >> >
>>> >> >> >>>>> >> > As a result, variation in block times will be greatly reduced.
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>> >> >> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> Regards,
>>> >> >> >>>>> >> ZmnSCPxj
>>> >> >> >>>>> _______________________________________________
>>> >> >> >>>>> bitcoin-dev mailing list
>>> >> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>>> >> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>> --
>>> >> >> >>>> Michael Dubrovsky
>>> >> >> >>>> Founder; PoWx
>>> >> >> >>>> www.PoWx.org
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>> Michael Dubrovsky
>>> >> >> >>> Founder; PoWx
>>> >> >> >>> www.PoWx.org
>>> >> >> >>> _______________________________________________
>>> >> >> >>> bitcoin-dev mailing list
>>> >> >> >>> bitcoin-dev@lists.linuxfoundation.org
>>> >> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> >> >> >>
>>> >> >> >> _______________________________________________
>>> >> >> >> bitcoin-dev mailing list
>>> >> >> >> bitcoin-dev@lists.linuxfoundation.org
>>> >> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> >> >> >
>>> >> >> > _______________________________________________
>>> >> >> > bitcoin-dev mailing list
>>> >> >> > bitcoin-dev@lists.linuxfoundation.org
>>> >> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-26 13:11 ` befreeandopen
2021-05-26 22:07 ` Erik Aronesty
@ 2021-05-27 10:08 ` Billy Tetrud
2021-05-27 13:11 ` Erik Aronesty
2021-05-28 14:36 ` befreeandopen
1 sibling, 2 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-05-27 10:08 UTC (permalink / raw)
To: befreeandopen; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 48650 bytes --]
> using nothing at stake
I see from the way you're using this term now that you mean something
completely different by it than I usually understand the phrase. You seem
to mean it as that minters can check whether they can mint a block without
any cost. By contrast, I generally understand the phrase to mean the
problem where there is no cost to broadcasting blocks on many different
chains.
> she gained an extra block over the honest strategy which would only give
her block D
I think I see what you're saying now. It actually sounds quite similar to
the selfish mining attack in proof of work. However I do acknowledge that
the ability to secretly mint on both your secret chain(s) and the public
chain makes it worse in PoS. How much worse is something that should be
quantified. This is also a solvable problem. Designing a secure system can
be kind of like whack a mole. You fix the weakest link in the chain, and
there is inevitably now a new weakest link that is stronger than the link
you fixed. Bitcoin is no different, as development continues, more security
improvements are implemented.
In this case, there's a number of possible solutions, some of which can be
combined. Eg you can program all honest clients to mint selfishly. You'd
likely need to lengthen the number of blocks that constitute a finalized
transaction, but you can probably reduce the block time to compensate, so
finalization doesn't actually take longer. You could also require many
additional signatures on each block from outside validators.
> How is that relevant to our discussion?
It is relevant because the benefits of proof of stake must be compared to
an alternative, and the alternative of reference here is clearly PoW. I'm
pointing out that the vulnerability you're describing in the type of PoS
you're talking about also exists in what its being compared against. To
know whether PoS or PoW is better on this particular aspect, you need to
compare the levels of advantage that can be obtained in each, and how this
affects the cost of attacking the system. Its not as straight forward as
saying "PoS is bad because it has this vulnerability" when the system you
compare it to also has a very similar vulnerability. You need to quantify
the difference at that point.
> the list of producers for next epoch is known up front and you confirmed
that this is what you meant with "quorum" system
Known by public key, not by IP address.
> (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
I agree that claiming that Y is a solved problem would be misleading if the
solution creates problems that are of greater significance than the
original problem. I would also agree that if the solution creates
significant problems that are substantially less significant than the
problem it solves, it would be misleading to say its a "solved problem" -
saying "partially solved" would be more accurate there.
However, I do not agree that it is at all misleading to say "nothing at
stake is a solved problem" just because solving that specific problem
doesn't solve all the problems with proof of stake. Its unreasonable to
expect that when someone claims problem X is solved, that it also implies
all problems related to X are solved.
I maintain that nothing at stake is a solved problem. There are solutions
that do not create other problems of anywhere near the same level of
significance.
> Since the optimal scenario with all existing coins participating is just
theoretical, the attacker's position will ever so improve. It seems we are
in agreement here, great
I don't believe we're in agreement there. I don't know how what you said
refutes my point.
> I'm afraid you've not realized the burden of proof is on your side if you
vouch for a design that is not believed and trusted to be secure.
You were the one that claimed proof of stake cannot be made secure. The
burden of proof is on you to support your own claims.
> You have not described a system that would solve it
I would be curious to hear a full critique from you about this protocol
<https://github.com/fresheneesz/ValidatedProofOfStake>.
On Wed, May 26, 2021 at 3:12 AM befreeandopen <befreeandopen@protonmail.com>
wrote:
>
>
> @befreeandopen I guess I misunderstood your selfish minting attack. Let me
> make sure I understand it. You're saying it would go as follows?:
>
> 1. The malicious actor comes across an opportunity to mint the next 3
> blocks. But they hold off and don't release their blocks just yet.
> 2. They receive a new block minted by someone else.
> 3. The malicious actor then chooses to release their other 2 blocks on on
> the second from the top block if it gives them more blocks in the future
> than minting on the top block. And instead lets the top block proceed if it
> gives them more blocks in the future (also figuring in the 3 blocks they're
> missing out on minting).
> 4. Profit!
>
> The problem with this attack is that any self respecting PoS system
> wouldn't have the information available for minters to know how blocks will
> affect their future prospects of minting. Otherwise this would introduce
> the problem of stake grinding. This can be done using collaborative
> randomness (where numbers from many parties are combined to create a random
> number that no individual party could predict). In fact, that's what the
> Casper protocol does to decide quorums. In a non quorum case, you can do
> something like record a hash of a number in the block header, and then have
> a second step to release that number later. Rewards can be given can be
> used to ensure minters act honestly here by minting messages that release
> these numbers and not releasing their secret numbers too early.
>
>
> Yes, you misunderstood it. First, let me say that the above thoughts of
> yours are incorrect, at least for non-quorum case. Since the transition in
> the blockchain system from S1 to S2 is only by adding new block, and since
> stakers always need to be able to decide whether or not they can add the
> next block, it follows that if a staker creates a new block locally, she
> can decide whether the new state allows her to add another block on top. As
> you mentioned, this COULD introduce problem of staking, that you are
> incorrect in that it is a necessity. Usual prevention of the grinding
> problem in this case is that an "old enough" source of randomness applies
> for the current block production process. Of course this, as it is typical
> for PoS, introduces other problems, but let's discard those.
>
> I will try to explain in detail what you misunderstood before. You start
> with a chain ending with blocks A-B-C, C being the top, the common feature
> of PoS system (non-quorum), roughly speaking, is that if N is the total
> amount of coins that participate in the staking process to create a new
> block on top of C (let's call that D), then a participant having K*N amount
> of stake has chance K to be the one who will create the next stake. In
> other words, the power of stakers is supposed to be linear in the system -
> you own 10 coins gives you 10x the chance of finding block over someone who
> has 1 coin.
>
> What i was claiming is that using the technique I have described, this
> linearity is violated. Why? Well, it works for honest stakers among the
> competition of honest stakers - they really do have the chance of K to find
> the next block. However, the attacker, using nothing at stake, checks her
> ability to build block D (at some timestamp). If she is successful, she
> does not propagate D immediately, but instead she also checks whether she
> can build on top of B and on top of A. Since with every new timestamp,
> usually, there is a new chance to build the block, it is not uncommon that
> she finds she is indeed able to build such block C' on top of B. Here it is
> likely t(C') > t(C) as the attacker has relatively low stake. Note that in
> order to produce such C', she not only could have tried the current
> timestamp t(D), but also all previous timestamps up to t(B) (usually that's
> the consensus rule, but it may depend on a specific consensus). So her
> chance to produce such C' is greater than her previous chance of producing
> C (which chance was limited by other stakers in the system and the
> discovery of block C by one of them). Now suppose that she found such C'
> and now she continues by trying to prolong this chain by finding D'. And
> again here, it is quite likely that her chance to find such D' is greater
> than was her chance of finding D because again there are likely multiple
> timestamps she could try. This all was possible just because nothing at
> stake allows you to just try if you can produce a block in certain state of
> block chain or not. Now if she actually was able to find D', she discards D
> and only publishes chain A-B-C'-D', which can not be punished despite the
> fact that she indeed produced two different forks. She can not be punished
> because this production was local and only the final result of A-B-C'-D'
> was published, in which case she gained an extra block over the honest
> strategy which would only give her block D.
>
>
>
> Fun fact tho: there is an attack called the "selfish mining attack" for
> proof of work, and it reduces the security of PoW by at least 1/3rd
> <https://bitcoinmagazine.com/technical/selfish-mining-a-25-attack-against-the-bitcoin-network-1383578440>
> .
>
>
> How is that relevant to our discussion? This is known research that has
> nothing to do with PoS except that it is often worse on PoS.
>
>
>
> > the problem is not as hard as you think
>
> I don't claim to know just how hard finding the IP address associated with
> a bitcoin address is. However, the DOS risk can be solved more completely
> by only allowing the owner of coins themselves to know whether they can
> mint a block. Eg by determining whether someone can mint a block based on
> their public key hidden behind hashes (as normal in addresses). Only when
> someone does in fact mint a block do they reveal their hidden public key in
> order to prove they are allowed to mint the block.
>
>
> This is true, but you are mixing quorum and non-quorum systems. My
> objection here was towards such system where I specifically said that the
> list of producers for next epoch is known up front and you confirmed that
> this is what you meant with "quorum" system. So in such system, I claimed,
> the known producer is the only target at any given point of time. This of
> course does not apply to any other type of system where future producers
> are not known. No need to dispute, again, something that was not claimed.
>
>
>
>
> > I agree that introduction of punishment itself does not imply
> introducing a problem elsewhere (which I did not claim if you reread my
> previous message)
>
> I'm glad we agree there. Perhaps I misunderstood what you meant by "you
> should not omit to mention that by doing so, typically, you have introduced
> another problem elsewhere."
>
>
> Perhaps you should quote the full sentence and not just a part of it:
>
> "Of course you can always change the rules in a way that a certain
> specific attack is not doable, but you should not omit to mention that by
> doing so, typically, you have introduced another problem elsewhere, or you
> have not solved it completely."
>
> You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT
> COMPLETELY)
> In case of the punishment it was meant to be the not solve it completely
> part.
> Also "typically" does not imply always.
> But this parsing of English sentences for you seems very off topic here.
> My point is, in context of Bitcoin, reject such unsupported claims that PoS
> is a reasonable alternative to PoW, let's stick to that.
>
>
>
> > As long as the staker makes sure (which is not that hard) that she does
> not miss a chance to create a block, her significance in the system will
> always increase in time. It will increase relative to all normal users who
> do not stake
>
> Well, if you're in the closed system of the cryptocurrency, sure. But we
> don't live in that closed system. Minters will earn some ROI from minting
> just like any other financial activity. Others may find more success
> spending their time doing things other than figuring out how to mint coins.
> In that case, they'll be able to earn more coin that they could later
> decide to use to mint blocks if they decide to.
>
>
> This only supports the point I was making. Since the optimal scenario with
> all existing coins participating is just theoretical, the attacker's
> position will ever so improve. It seems we are in agreement here, great.
>
>
>
>
> > Just because of the above we must reject PoS as being critically
> insecure
>
> I think the only thing we can conclude from this is that you have come up
> with an insecure proof of stake protocol. I don't see how anything you've
> brought up amounts to substantial evidence that all possible PoS protocols
> are insecure.
>
>
> I have not come up with anything. I'm afraid you've not realized the
> burden of proof is on your side if you vouch for a design that is not
> believed and trusted to be secure. It is up to you to show that you know
> how to solve every problem that people throw at you. So far we have just
> demonstrated that your claim that nothing at stake is solved was
> unjustified. You have not described a system that would solve it (and not
> introduce critical DDOS attack vector as it is in quorum based systems -
> per the prior definition of such systems).
>
> Of course the list of problems of PoS systems do not end with just nothing
> at stake, but it is good enough example that by itself prevents its
> adoption in decentralized consensus. No need to go to other hard problems
> without solving nothing at stake.
>
>
>
>
>
> On Tue, May 25, 2021 at 11:10 AM befreeandopen <
> befreeandopen@protonmail.com> wrote:
>
>>
>> @befreeandopen " An attacker can calculate whether or not she can prolong
>> this chain or not and if so with what timestamp."
>>
>> The scenario you describe would only be likely to happen at all if the
>> malicious actor has a very large fraction of the stake - probably quite
>> close to 50%. At that point, you're talking about a 51% attack, not the
>> nothing at stake problem. The nothing at stake problem is the problem where
>> anyone will mint on any chain. Its clear that if there's a substantial
>> punishment for minting on chains other than the one that eventually wins,
>> every minter without a significant fraction of the stake will be honest and
>> not attempt to mint on old blocks or support someone else's attempt to mint
>> on old blocks (until and if it becomes the heaviest chain). Because the
>> attacker would need probably >45% of the active stake (take a look at the reasoning
>> here
>> <https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack>
>> for a deeper analysis of that statement), I don't agree that punishment is
>> not a sufficient mitigation of the nothing at stake problem. To exploit the
>> nothing at stake problem, you basically need to 51% attack, at which point
>> you've exceeded the operating conditions of the system, so of course its
>> gonna have problems, just like a 51% attack would cause with PoW.
>>
>>
>> This is not at all the case. The attacker benefits using the described
>> technique at any size of the stake and significantly so with just 5% of the
>> stake. By significantly, I do not mean that the attacker is able to
>> completely take control the network (in short term), but rather that the
>> attacker has significant advantage in the number of blocks she creates
>> compared to what she "should be able to create". This means the attacker's
>> stake increases significantly faster than of the honest nodes, which in
>> long term is very serious in PoS system. If you believe close to 50% is
>> needed for that, you need to redo your math. So no, you are wrong stating
>> that "to exploit nothing at stake problem you basically need to 51%
>> attack". It is rather the opposite - eventually, nothing at stake attack
>> leads to ability to perform 51% attack.
>>
>>
>>
>> > I am not sure if this is what you call quorum-based PoS
>>
>> Yes, pre-selected minters is exactly what I mean by that.
>>
>> > it allows the attacker to know who to attack at which point with
>> powerful DDOS in order to hurt liveness of such system
>>
>> Just like in bitcoin, associating keys with IP addresses isn't generally
>> an easy thing to do on the fly like that. If you know someone's IP address,
>> you can target them. But if you only know their address or public key, the
>> reverse isn't as easy. With a quorum-based PoS system, you can see their
>> public key and address, but finding out their IP to DOS would be a huge
>> challenge I think.
>>
>>
>> I do not dispute that the problem is not trivial, but the problem is not
>> as hard as you think. The network graph analysis is a known technique and
>> it is not trivial, but not very hard either. Introducing a large number of
>> nodes to the system to achieve very good success rate of analysis of area
>> of origin of blocks is doable and has been done in past. So again, I very
>> much disagree with your conclusion that this is somehow secure. It is
>> absolutely insecure.
>>
>>
>>
>> Note, tho, that quorum-based PoS generally also have punishments as part
>> of the protocol. The introduction of punishments do indeed handily solve
>> the nothing at stake problem. And you didn't mention a single problem that
>> the punishments introduce that weren't already there before punishments.
>> There are tradeoffs with introducing punishments (eg in some cases you
>> might punish honest actors), but they are minor in comparison to solving
>> the nothing at stake problem.
>>
>>
>> While I agree that introduction of punishment itself does not imply
>> introducing a problem elsewhere (which I did not claim if you reread my
>> previous message), it does introduce additional complexity which may
>> introduce problem, but more importantly, while it slightly improves
>> resistance against the nothing at stake attack, it solves absolutely
>> nothing. Your claim is based on wrong claim of needed close to 50% stake,
>> but that could not be farther from the truth. It is not true even in
>> optimal conditions when all participants of the network stake or delegate
>> their stake. These optimal conditions rarely, if ever, occur. And that's
>> another thing that we have not mention in our debate, so please allow me to
>> introduce another problem to PoS.
>>
>> Consider what is needed for such optimal conditions to occur - all coins
>> are always part of the stake, which means that they need to somehow
>> automatically part of the staking process even when they are moved. But in
>> many PoS systems you usually require some age (in terms of confirmations)
>> of the coin before you allow it to be used for participation in staking
>> process and that is for a good reason - to prevent various grinding
>> attacks. In some systems the coin must be specifically registered before it
>> can be staked, in others, simply waiting for enough confirmations enables
>> you to stake with the coin. I am not sure if there is a system which does
>> not have this cooling period for a coin that has been moved. Maybe it is
>> possible though, but AFAIK it is not common and not battle tested feature.
>>
>> Then if we admit that achieving the optimal condition is rather
>> theoretical. Then if we do not have the optimal condition, it means that a
>> staker with K% of the total available supply increases it's percentage over
>> time to some amounts >K%. As long as the staker makes sure (which is not
>> that hard) that she does not miss a chance to create a block, her
>> significance in the system will always increase in time. It will increase
>> relative to all normal users who do not stake (if there are any) and
>> relative to all other stakers who make mistakes or who are not wealthy
>> enough to afford not selling any position ever. But powerful attacker is
>> exactly in such position and thus she will gain significance in such a
>> system. The technique I have described, and that you mistakenly think is
>> viable only with huge amounts of stake, only puts the attacker to even
>> greater advantage. But even without the described attack (which exploits
>> nothing at stake), the PoS system converges to a system more and more
>> controlled by powerful entity, which we can assume is the attacker.
>>
>>
>> So I don't think it is at all misleading to claim that "nothing at stake"
>> is a solved problem. I do in fact mean that the solutions to that problem
>> don't introduce any other problems with anywhere near the same level of
>> significance.
>>
>>
>> It still stands as truly misleading claim. I disagree that introducing
>> DDOS opportunity with medium level of difficulty for the attacker to
>> implement it, in case of "quorum-based PoS" is not a problem anywhere near
>> the same level of significance. Such an attack vector allows you to turn
>> off the network if you spend some time and money. That is hardly acceptable.
>>
>> Just because of the above we must reject PoS as being critically insecure
>> until someone invents and demonstrates an actual way of solving these
>> issues.
>>
>>
>>
>> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>>
>>> > > you burn them to be used at a future particular block height
>>>
>>> > This sounds exploitable. It seems like an attacker could simply focus
>>> all their burns on a particular set of 6 blocks to double spend, minimizing
>>> their cost of attack.
>>>
>>> could be right. the original idea was to have burns decay over time,
>>> like ASIC's.
>>>
>>> anyway the point was not that "i had a magic formula"
>>>
>>> the point was that proof of burn is almost always better than proof of
>>> stake - simply because the "proof" is on-chain, not sitting on a node
>>> somewhere waiting to be stolen.
>>>
>>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com>
>>> wrote:
>>> >
>>> > Is this the kind of proof of burn you're talking about?
>>> >
>>> > > if i have a choice between two chains, one longer and one shorter,
>>> i can only choose one... deterministically
>>> >
>>> > What prevents you from attempting to mine block 553 on both chains?
>>> >
>>> > > miners have a very strong, long-term, investment in the stability of
>>> the chain.
>>> >
>>> > Yes, but the same can be said of any coin, even ones that do have the
>>> nothing at stake problem. This isn't sufficient tho because the chain is a
>>> common good, and the tragedy of the commons holds for it.
>>> >
>>> > > you burn them to be used at a future particular block height
>>> >
>>> > This sounds exploitable. It seems like an attacker could simply focus
>>> all their burns on a particular set of 6 blocks to double spend, minimizing
>>> their cost of attack.
>>> >
>>> > > i can imagine scenarios where large stakeholders can collude to
>>> punish smaller stakeholders simply to drive them out of business, for
>>> example
>>> >
>>> > Are you talking about a 51% attack? This is possible in any
>>> decentralized cryptocurrency.
>>> >
>>> >
>>> > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>> >>
>>> >> > > your burn investment is always "at stake", any redaction can
>>> result in a loss-of-burn, because burns can be tied, precisely, to
>>> block-heights
>>> >> > I'm fuzzy on how proof of burn works.
>>> >>
>>> >> when you burn coins, you burn them to be used at a future particular
>>> >> block height: so if i'm burning for block 553, i can only use them to
>>> >> mine block 553. if i have a choice between two chains, one longer
>>> >> and one shorter, i can only choose one... deterministically, for that
>>> >> burn: the chain with the height 553. if we fix the "lead time" for
>>> >> burned coins to be weeks or even months in advance, miners have a very
>>> >> strong, long-term, investment in the stability of the chain.
>>> >>
>>> >> therefore there is no "nothing at stake" problem. it's
>>> >> deterministic, so miners have no choice. they can *only* choose the
>>> >> transactions that go into the block. they cannot choose which chain
>>> >> to mine, and it's time-locked, so rollbacks and instability always
>>> >> hurt miners the most.
>>> >>
>>> >> the "punishment" systems of PoS are "weird at best", certainly
>>> >> unproven. i can imagine scenarios where large stakeholders can
>>> >> collude to punish smaller stakeholders simply to drive them out of
>>> >> business, for example. and then you have to put checks in place to
>>> >> prevent that, and more checks for those prevention system...
>>> >>
>>> >> in PoB, there is no complexity. simpler systems like this are
>>> >> typically more secure.
>>> >>
>>> >> PoB also solves problems caused by "energy dependence", which could
>>> >> lead to state monopolies on mining (like the new Bitcoin Mining
>>> >> Council). these consortiums, if state sanctioned, could become a
>>> >> source of censorship, for example. Since PoB doesn't require you to
>>> >> have a live, well-connected node, it's harder to censor & harder to
>>> >> trace.
>>> >>
>>> >> Eliminating this weakness seems to be in the best interests of
>>> >> existing stakeholders
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com>
>>> wrote:
>>> >> >
>>> >> > > proof of burn clearly solves this, since nothing is held online
>>> >> >
>>> >> > Well.. the coins to be burned need to be online when they're
>>> burned. But yes, only a small fraction of the total coins need to be online.
>>> >> >
>>> >> > > your burn investment is always "at stake", any redaction can
>>> result in a loss-of-burn, because burns can be tied, precisely, to
>>> block-heights
>>> >> >
>>> >> > So you're saying that if say someone tries to mine a block on a
>>> shorter chain, that requires them to send a transaction burning their
>>> coins, and that transaction could also be spent on the longest chain, which
>>> means their coins are burned even if the chain they tried to mine on
>>> doesn't win? I'm fuzzy on how proof of burn works.
>>> >> >
>>> >> > > proof of burn can be more secure than proof-of-stake
>>> >> >
>>> >> > FYI, proof of stake can be done without the "nothing at stake"
>>> problem. You can simply punish people who mint on shorter chains (by
>>> rewarding people who publish proofs of this happening on the main chain).
>>> In quorum-based PoS, you can punish people in the quorum that propose or
>>> sign multiple blocks for the same height. The "nothing at stake" problem is
>>> a solved problem at this point for PoS.
>>> >> >
>>> >> >
>>> >> >
>>> >> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>> >> >>
>>> >> >> > I don't see a way to get around the conflicting requirement that
>>> the keys for large amounts of coins should be kept offline but those are
>>> exactly the coins we need online to make the scheme secure.
>>> >> >>
>>> >> >> proof of burn clearly solves this, since nothing is held online
>>> >> >>
>>> >> >> > how does proof of burn solve the "nothing at stake" problem in
>>> your view?
>>> >> >>
>>> >> >> definition of nothing at stake: in the event of a fork, whether the
>>> >> >> fork is accidental or a malicious, the optimal strategy for any
>>> miner
>>> >> >> is to mine on every chain, so that the miner gets their reward no
>>> >> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>>> >> >> published on the very chains mines, so the incentive is magnified.
>>> >> >>
>>> >> >> in proof-of-burn, your burn investment is always "at stake", any
>>> >> >> redaction can result in a loss-of-burn, because burns can be tied,
>>> >> >> precisely, to block-heights
>>> >> >>
>>> >> >> as a result, miners no longer have an incentive to mine all chains
>>> >> >>
>>> >> >> in this way proof of burn can be more secure than proof-of-stake,
>>> and
>>> >> >> even more secure than proof of work
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> >
>>> >> >>
>>> >> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >
>>> >> >> > Hi Billy,
>>> >> >> >
>>> >> >> > I was going to write a post which started by dismissing many of
>>> the weak arguments that are made against PoS made in this thread and
>>> elsewhere.
>>> >> >> > Although I don't agree with all your points you have done a
>>> decent job here so I'll focus on the second part: why I think
>>> Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>> >> >> >
>>> >> >> > Proof of stake is not fit for purpose for a global settlement
>>> layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin
>>> is trying to be.
>>> >> >> > PoS necessarily gives responsibilities to the holders of coins
>>> that they do not want and cannot handle.
>>> >> >> > In Bitcoin, large unsophisticated coin holders can put their
>>> coins in cold storage without a second thought given to the health of the
>>> underlying ledger.
>>> >> >> > As much as hardcore Bitcoiners try to convince them to run their
>>> own node, most don't, and that's perfectly acceptable.
>>> >> >> > At no point do their personal decisions affect the underlying
>>> consensus -- it only affects their personal security assurance (not that of
>>> the system itself).
>>> >> >> > In PoS systems this clean separation of responsibilities does
>>> not exist.
>>> >> >> >
>>> >> >> > I think that the more rigorously studied PoS protocols will work
>>> fine within the security claims made in their papers.
>>> >> >> > People who believe that these protocols are destined for
>>> catastrophic consensus failure are certainly in for a surprise.
>>> >> >> > But the devil is in the detail.
>>> >> >> > Let's look at what the implications of using the leading proof
>>> of stake protocols would have on Bitcoin:
>>> >> >> >
>>> >> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>>> >> >> >
>>> >> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3]
>>> with an inbuilt on-chain delegation system[5].
>>> >> >> > In these protocols, coin holders who do not want to run their
>>> node with their hot keys in it delegate it to a "Stake Pool".
>>> >> >> > I call the resulting system Proof-of-SquareSpace since most will
>>> choose a pool by looking around for one with a nice website and offering
>>> the largest share of the block reward.
>>> >> >> > On the surface this might sound no different than someone with
>>> an mining rig shopping around for a good mining pool but there are crucial
>>> differences:
>>> >> >> >
>>> >> >> > 1. The person making the decision is forced into it just because
>>> they own the currency -- someone with a mining rig has purchased it with
>>> the intent to make profit by participating in consensus.
>>> >> >> >
>>> >> >> > 2. When you join a mining pool your systems are very much still
>>> online. You are just partaking in a pool to reduce your profit variance.
>>> You still see every block that you help create and *you never help create a
>>> block without seeing it first*.
>>> >> >> >
>>> >> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority
>>> and start censoring transactions how are the users meant to redelegate
>>> their stake to honest pools?
>>> >> >> > I guess they can just send a transaction delegating to another
>>> pool...oh wait I guess that might be censored too! This seems really really
>>> bad.
>>> >> >> > In Bitcoin, miners can just join a different pool at a whim.
>>> There is nothing the attacker can do to stop them. A temporary dishonest
>>> majority heals relatively well.
>>> >> >> >
>>> >> >> > There is another severe disadvantage to this on-chain delegation
>>> system: every UTXO must indicate which staking account this UTXO belongs to
>>> so the appropriate share of block rewards can be transferred there.
>>> >> >> > Being able to associate every UTXO to an account ruins one of
>>> the main privacy advantages of the UTXO model.
>>> >> >> > It also grows the size of the blockchain significantly.
>>> >> >> >
>>> >> >> > ### "Pure" proof of stake (Algorand)
>>> >> >> >
>>> >> >> > Algorand's[4] approach is to only allow online stake to
>>> participate in the protocol.
>>> >> >> > Theoretically, This means that keys holding funds have to be
>>> online in order for them to author blocks when they are chosen.
>>> >> >> > Of course in reality no one wants to keep their coin holding
>>> keys online so in Alogorand you can authorize a set of "participation
>>> keys"[1] that will be used to create blocks on your coin holding key's
>>> behalf.
>>> >> >> > Hopefully you've spotted the problem.
>>> >> >> > You can send your participation keys to any malicious party with
>>> a nice website (see random example [2]) offering you a good return.
>>> >> >> > Damn it's still Proof-of-SquareSpace!
>>> >> >> > The minor advantage is that at least the participation keys
>>> expire after a certain amount of time so eventually the SquareSpace
>>> attacker will lose their hold on consensus.
>>> >> >> > Importantly there is also less junk on the blockchain because
>>> the participation keys are delegated off-chain and so are not making as
>>> much of a mess.
>>> >> >> >
>>> >> >> > ### Conclusion
>>> >> >> >
>>> >> >> > I don't see a way to get around the conflicting requirement that
>>> the keys for large amounts of coins should be kept offline but those are
>>> exactly the coins we need online to make the scheme secure.
>>> >> >> > If we allow delegation then we open up a new social attack
>>> surface and it degenerates to Proof-of-SquareSpace.
>>> >> >> >
>>> >> >> > For a "digital gold" like system like Bitcoin we optimize for
>>> simplicity and desperately want to avoid extraneous responsibilities for
>>> the holder of the coin.
>>> >> >> > After all, gold is an inert element on the periodic table that
>>> doesn't confer responsibilities on the holder to maintain the quality of
>>> all the other bars of gold out there.
>>> >> >> > Bitcoin feels like this too and in many ways is more inert and
>>> beautifully boring than gold.
>>> >> >> > For Bitcoin to succeed I think we need to keep it that way and
>>> Proof-of-Stake makes everything a bit too exciting.
>>> >> >> >
>>> >> >> > I suppose in the end the market will decide what is real digital
>>> gold and whether these bad technical trade offs are worth being able to say
>>> it uses less electricity. It goes without saying that making bad technical
>>> decisions to appease the current political climate is an anathema to
>>> Bitcoin.
>>> >> >> >
>>> >> >> > Would be interested to know if you or others think differently
>>> on these points.
>>> >> >> >
>>> >> >> > [1]:
>>> https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>> >> >> > [2]: https://staking.staked.us/algorand-staking
>>> >> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>>> >> >> > [4]:
>>> https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>> >> >> > [5]:
>>> https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>> >> >> >
>>> >> >> > Cheers,
>>> >> >> >
>>> >> >> > LL
>>> >> >> >
>>> >> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >>
>>> >> >> >> I think there is a lot of misinformation and bias against Proof
>>> of Stake. Yes there have been lots of shady coins that use insecure PoS
>>> mechanisms. Yes there have been massive issues with distribution of PoS
>>> coins (of course there have also been massive issues with PoW coins as
>>> well). However, I want to remind everyone that there is a difference
>>> between "proved to be impossible" and "have not achieved recognized success
>>> yet". Most of the arguments levied against PoS are out of date or rely on
>>> unproven assumptions or extrapolation from the analysis of a particular PoS
>>> system. I certainly don't think we should experiment with bitcoin by
>>> switching to PoS, but from my research, it seems very likely that there is
>>> a proof of stake consensus protocol we could build that has substantially
>>> higher security (cost / capital required to execute an attack) while at the
>>> same time costing far less resources (which do translate to fees on the
>>> network) *without* compromising any of the critical security properties
>>> bitcoin relies on. I think the critical piece of this is the disagreements
>>> around hardcoded checkpoints, which is a critical piece solving attacks
>>> that could be levied on a PoS chain, and how that does (or doesn't) affect
>>> the security model.
>>> >> >> >>
>>> >> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS
>>> is worse when a 51% attack happens. While I agree, I think that line of
>>> thinking omits important facts:
>>> >> >> >> * The capital required to 51% attack a PoS chain can be made
>>> substantially greater than on a PoS chain.
>>> >> >> >> * The capital the attacker stands to lose can be substantially
>>> greater as well if the attack is successful.
>>> >> >> >> * The effectiveness of paying miners to raise the honest
>>> fraction of miners above 50% may be quite bad.
>>> >> >> >> * Allowing a 51% attack is already unacceptable. It should be
>>> considered whether what happens in the case of a 51% may not be
>>> significantly different. The currency would likely be critically damaged in
>>> a 51% attack regardless of consensus mechanism.
>>> >> >> >>
>>> >> >> >> > Proof-of-stake tends towards oligopolistic control
>>> >> >> >>
>>> >> >> >> People repeat this often, but the facts support this. There is
>>> no centralization pressure in any proof of stake mechanism that I'm aware
>>> of. IE if you have 10 times as much coin that you use to mint blocks, you
>>> should expect to earn 10x as much minting revenue - not more than 10x. By
>>> contrast, proof of work does in fact have clear centralization pressure -
>>> this is not disputed. Our goal in relation to that is to ensure that the
>>> centralization pressure remains insignifiant. Proof of work also clearly
>>> has a lot more barriers to entry than any proof of stake system does. Both
>>> of these mean the tendency towards oligopolistic control is worse for PoW.
>>> >> >> >>
>>> >> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>> >> >> >>
>>> >> >> >> I certainly agree. Bitcoin's energy usage at the moment is I
>>> think quite warranted. However, the question is: can we do substantially
>>> better. I think if we can, we probably should... eventually.
>>> >> >> >>
>>> >> >> >> > Proof of Stake is only resilient to ⅓ of the network
>>> demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to
>>> the ½ threshold
>>> >> >> >>
>>> >> >> >> I see no mention of this in the pos.pdf you linked to. I'm not
>>> aware of any proof that all PoS systems have a failure threshold of 1/3. I
>>> know that staking systems like Casper do in fact have that 1/3 requirement.
>>> However there are PoS designs that should exceed that up to nearly 50% as
>>> far as I'm aware. Proof of work is not in fact resilient up to the 1/2
>>> threshold in the way you would think. IE, if 100% of miners are currently
>>> honest and have a collective 100 exahashes/s hashpower, an attacker does
>>> not need to obtain 100 exahashes/s, but actually only needs to accumulate
>>> 50 exahashes/s. This is because as the attacker accumulates hashpower, it
>>> drives honest miners out of the market as the difficulty increases to
>>> beyond what is economically sustainable. Also, its been shown that the best
>>> proof of work can do is require an attacker to obtain 33% of the hashpower
>>> because of the selfish mining attack discussed in depth in this paper:
>>> https://arxiv.org/abs/1311.0243. Together, both of these things reduce
>>> PoW's security by a factor of about 83% (1 - 50%*33%).
>>> >> >> >>
>>> >> >> >> > Proof of Stake requires other trade-offs which are
>>> incompatible with Bitcoin's objective (to be a trustless digital cash) —
>>> specifically the famous "security vs. liveness" guarantee
>>> >> >> >>
>>> >> >> >> Do you have a good source that talks about why you think proof
>>> of stake cannot be used for a trustless digital cash?
>>> >> >> >>
>>> >> >> >> > You cannot gain tokens without someone choosing to give up
>>> those coins - a form of permission.
>>> >> >> >>
>>> >> >> >> This is not a practical constraint. Just like in mining, some
>>> nodes may reject you, but there will likely be more that will accept you,
>>> some sellers may reject you, but most would accept your money as payment
>>> for bitcoins. I don't think requiring the "permission" of one of millions
>>> of people in the market can be reasonably considered a "permissioned
>>> currency".
>>> >> >> >>
>>> >> >> >> > 2. Proof of stake must have a trusted means of timestamping
>>> to regulate overproduction of blocks
>>> >> >> >>
>>> >> >> >> Both PoW and PoS could mine/mint blocks twice as fast if
>>> everyone agreed to double their clock speeds. Both systems rely on an
>>> honest majority sticking to standard time.
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via
>>> bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >>>
>>> >> >> >>> Ah sorry, I didn't realize this was, in fact, a different
>>> thread! :)
>>> >> >> >>>
>>> >> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <
>>> mike@powx.org> wrote:
>>> >> >> >>>>
>>> >> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the
>>> BIP itself. PoS, VDFs, and so on are interesting but I guess there are
>>> other threads going on these topics already where they would be relevant.
>>> >> >> >>>>
>>> >> >> >>>> Also, it's important to distinguish between oPoW and these
>>> other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't
>>> alter the core game theory or security assumptions of Hashcash and actually
>>> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>> >> >> >>>>
>>> >> >> >>>> Cheers,
>>> >> >> >>>> Mike
>>> >> >> >>>>
>>> >> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev
>>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> >> >> >>>>>
>>> >> >> >>>>> 1. i never suggested vdf's to replace pow.
>>> >> >> >>>>>
>>> >> >> >>>>> 2. my suggestion was specifically *in the context of* a
>>> working
>>> >> >> >>>>> proof-of-burn protocol
>>> >> >> >>>>>
>>> >> >> >>>>> - vdfs used only for timing (not block height)
>>> >> >> >>>>> - blind-burned coins of a specific age used to replace proof
>>> of work
>>> >> >> >>>>> - the required "work" per block would simply be a
>>> competition to
>>> >> >> >>>>> acquire rewards, and so miners would have to burn coins,
>>> well in
>>> >> >> >>>>> advance, and hope that their burned coins got rewarded in
>>> some far
>>> >> >> >>>>> future
>>> >> >> >>>>> - the point of burned coins is to mimic, in every meaningful
>>> way, the
>>> >> >> >>>>> value gained from proof of work... without some of the
>>> security
>>> >> >> >>>>> drawbacks
>>> >> >> >>>>> - the miner risks losing all of his burned coins (like all
>>> miners risk
>>> >> >> >>>>> losing their work in each block)
>>> >> >> >>>>> - new burns can't be used
>>> >> >> >>>>> - old burns age out (like ASICs do)
>>> >> >> >>>>> - other requirements on burns might be needed to properly
>>> mirror the
>>> >> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine
>>> honestly.
>>> >> >> >>>>>
>>> >> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf
>>> system"
>>> >> >> >>>>> might be more secure in the long run, and that if the entire
>>> space
>>> >> >> >>>>> agreed that such an endeavor was worthwhile, a test net
>>> could be spun
>>> >> >> >>>>> up, and a hard-fork could be initiated.
>>> >> >> >>>>>
>>> >> >> >>>>> 4. i would never suggest such a thing unless i believed it
>>> was
>>> >> >> >>>>> possible that consensus was possible. so no, this is not an
>>> "alt
>>> >> >> >>>>> coin"
>>> >> >> >>>>>
>>> >> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <
>>> zachgrw@gmail.com> wrote:
>>> >> >> >>>>> >
>>> >> >> >>>>> > Hi ZmnSCPxj,
>>> >> >> >>>>> >
>>> >> >> >>>>> > Please note that I am not suggesting VDFs as a means to
>>> save energy, but solely as a means to make the time between blocks more
>>> constant.
>>> >> >> >>>>> >
>>> >> >> >>>>> > Zac
>>> >> >> >>>>> >
>>> >> >> >>>>> >
>>> >> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <
>>> ZmnSCPxj@protonmail.com> wrote:
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> Good morning Zac,
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> > VDFs might enable more constant block times, for
>>> instance by having a two-step PoW:
>>> >> >> >>>>> >> >
>>> >> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF
>>> being subject to difficulty adjustments similar to the as-is). As per the
>>> property of VDFs, miners are able show proof of work.
>>> >> >> >>>>> >> >
>>> >> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so
>>> finding a block takes 1 minute on average, again subject to as-is
>>> difficulty adjustments.
>>> >> >> >>>>> >> >
>>> >> >> >>>>> >> > As a result, variation in block times will be greatly
>>> reduced.
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> As I understand it, another weakness of VDFs is that they
>>> are not inherently progress-free (their sequential nature prevents that;
>>> they are inherently progress-requiring).
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> Thus, a miner which focuses on improving the amount of
>>> energy that it can pump into the VDF circuitry (by overclocking and
>>> freezing the circuitry), could potentially get into a winner-takes-all
>>> situation, possibly leading to even *worse* competition and even *more*
>>> energy consumption.
>>> >> >> >>>>> >> After all, if you can start mining 0.1s faster than the
>>> competition, that is a 0.1s advantage where *only you* can mine *in the
>>> entire world*.
>>> >> >> >>>>> >>
>>> >> >> >>>>> >> Regards,
>>> >> >> >>>>> >> ZmnSCPxj
>>> >> >> >>>>> _______________________________________________
>>> >> >> >>>>> bitcoin-dev mailing list
>>> >> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>>> >> >> >>>>>
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>>
>>> >> >> >>>> --
>>> >> >> >>>> Michael Dubrovsky
>>> >> >> >>>> Founder; PoWx
>>> >> >> >>>> www.PoWx.org
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>> Michael Dubrovsky
>>> >> >> >>> Founder; PoWx
>>> >> >> >>> www.PoWx.org
>>> >> >> >>> _______________________________________________
>>> >> >> >>> bitcoin-dev mailing list
>>> >> >> >>> bitcoin-dev@lists.linuxfoundation.org
>>> >> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> >> >> >>
>>> >> >> >> _______________________________________________
>>> >> >> >> bitcoin-dev mailing list
>>> >> >> >> bitcoin-dev@lists.linuxfoundation.org
>>> >> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>> >> >> >
>>> >> >> > _______________________________________________
>>> >> >> > bitcoin-dev mailing list
>>> >> >> > bitcoin-dev@lists.linuxfoundation.org
>>> >> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
>>
>
[-- Attachment #2: Type: text/html, Size: 61709 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-27 10:08 ` Billy Tetrud
@ 2021-05-27 13:11 ` Erik Aronesty
2021-05-28 14:36 ` befreeandopen
1 sibling, 0 replies; 67+ messages in thread
From: Erik Aronesty @ 2021-05-27 13:11 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
Problems with proof-of-stake:
- A single CVE can tear down the network and hacked nodes can result
in transferring all mining power to one group
- PoS is vulnerable to DOS attacks (increasing latency reduces the
cost of mining attacks)
- PoS is vulnerable to stakers colluding to punish/drive out others
This *cannot* happen in PoW (or PoB), because "pulling the plug" is
sufficient to stop a hacked mining rig. (I should know, my first rig
was hacked, day 1, until i learned how to secure it properly!)
**The value of a base layer is tied tightly to its "risk of default",
thus PoW will always be superior, harder money.**
Bitcoin has very, very low risk of default:
- proof model ties to real-world energy
- core devs that are risk averse and will never hard fork to reverse
transactions
- extremely decentralized, priority given to decentralization and
security over every other feature in every PR
- fees kept high enough to financially secure the network - allowing
billions in value to move safely for dollars in fees
PoW is harder money than PoS, and Bitcoin is, foremost, hard money.
PoS has no sunk-investment, no replication and requires stake to be
online (and attackable), and I think has no business being considered
as an alternative to PoW for a base-layer system like Bitcoin.
These are problems.that cannot be overlooked or swept under the rug.
If you cannot "pull the plug" on stake, then you cannot defend the
network from an attack.
On Thu, May 27, 2021 at 6:09 AM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>
> > using nothing at stake
>
> I see from the way you're using this term now that you mean something completely different by it than I usually understand the phrase. You seem to mean it as that minters can check whether they can mint a block without any cost. By contrast, I generally understand the phrase to mean the problem where there is no cost to broadcasting blocks on many different chains.
>
> > she gained an extra block over the honest strategy which would only give her block D
>
> I think I see what you're saying now. It actually sounds quite similar to the selfish mining attack in proof of work. However I do acknowledge that the ability to secretly mint on both your secret chain(s) and the public chain makes it worse in PoS. How much worse is something that should be quantified. This is also a solvable problem. Designing a secure system can be kind of like whack a mole. You fix the weakest link in the chain, and there is inevitably now a new weakest link that is stronger than the link you fixed. Bitcoin is no different, as development continues, more security improvements are implemented.
>
> In this case, there's a number of possible solutions, some of which can be combined. Eg you can program all honest clients to mint selfishly. You'd likely need to lengthen the number of blocks that constitute a finalized transaction, but you can probably reduce the block time to compensate, so finalization doesn't actually take longer. You could also require many additional signatures on each block from outside validators.
>
> > How is that relevant to our discussion?
>
> It is relevant because the benefits of proof of stake must be compared to an alternative, and the alternative of reference here is clearly PoW. I'm pointing out that the vulnerability you're describing in the type of PoS you're talking about also exists in what its being compared against. To know whether PoS or PoW is better on this particular aspect, you need to compare the levels of advantage that can be obtained in each, and how this affects the cost of attacking the system. Its not as straight forward as saying "PoS is bad because it has this vulnerability" when the system you compare it to also has a very similar vulnerability. You need to quantify the difference at that point.
>
> > the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system
>
> Known by public key, not by IP address.
>
> > (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
>
> I agree that claiming that Y is a solved problem would be misleading if the solution creates problems that are of greater significance than the original problem. I would also agree that if the solution creates significant problems that are substantially less significant than the problem it solves, it would be misleading to say its a "solved problem" - saying "partially solved" would be more accurate there.
>
> However, I do not agree that it is at all misleading to say "nothing at stake is a solved problem" just because solving that specific problem doesn't solve all the problems with proof of stake. Its unreasonable to expect that when someone claims problem X is solved, that it also implies all problems related to X are solved.
>
> I maintain that nothing at stake is a solved problem. There are solutions that do not create other problems of anywhere near the same level of significance.
>
> > Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great
>
> I don't believe we're in agreement there. I don't know how what you said refutes my point.
>
> > I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure.
>
> You were the one that claimed proof of stake cannot be made secure. The burden of proof is on you to support your own claims.
>
> > You have not described a system that would solve it
>
> I would be curious to hear a full critique from you about this protocol.
>
> On Wed, May 26, 2021 at 3:12 AM befreeandopen <befreeandopen@protonmail.com> wrote:
>>
>>
>>
>> @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
>>
>> 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
>> 2. They receive a new block minted by someone else.
>> 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
>> 4. Profit!
>>
>> The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
>>
>>
>> Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
>>
>> I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
>>
>> What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
>>
>>
>>
>> Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
>>
>>
>> How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
>>
>>
>>
>> > the problem is not as hard as you think
>>
>> I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
>>
>>
>> This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
>>
>>
>>
>>
>> > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
>>
>> I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
>>
>>
>> Perhaps you should quote the full sentence and not just a part of it:
>>
>> "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
>>
>> You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
>> In case of the punishment it was meant to be the not solve it completely part.
>> Also "typically" does not imply always.
>> But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
>>
>>
>>
>> > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
>>
>> Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
>>
>>
>> This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
>>
>>
>>
>>
>> > Just because of the above we must reject PoS as being critically insecure
>>
>> I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
>>
>>
>> I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
>>
>> Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
>>
>>
>>
>>
>>
>> On Tue, May 25, 2021 at 11:10 AM befreeandopen <befreeandopen@protonmail.com> wrote:
>>>
>>>
>>> @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
>>>
>>> The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
>>>
>>>
>>> This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
>>>
>>>
>>>
>>> > I am not sure if this is what you call quorum-based PoS
>>>
>>> Yes, pre-selected minters is exactly what I mean by that.
>>>
>>> > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
>>>
>>> Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
>>>
>>>
>>> I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
>>>
>>>
>>>
>>> Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
>>>
>>>
>>> While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
>>>
>>> Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
>>>
>>> Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
>>>
>>>
>>> So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
>>>
>>>
>>> It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
>>>
>>> Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
>>>
>>>
>>>
>>> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>>>>
>>>> > > you burn them to be used at a future particular block height
>>>>
>>>> > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>>
>>>> could be right. the original idea was to have burns decay over time,
>>>> like ASIC's.
>>>>
>>>> anyway the point was not that "i had a magic formula"
>>>>
>>>> the point was that proof of burn is almost always better than proof of
>>>> stake - simply because the "proof" is on-chain, not sitting on a node
>>>> somewhere waiting to be stolen.
>>>>
>>>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>> >
>>>> > Is this the kind of proof of burn you're talking about?
>>>> >
>>>> > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
>>>> >
>>>> > What prevents you from attempting to mine block 553 on both chains?
>>>> >
>>>> > > miners have a very strong, long-term, investment in the stability of the chain.
>>>> >
>>>> > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
>>>> >
>>>> > > you burn them to be used at a future particular block height
>>>> >
>>>> > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>> >
>>>> > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
>>>> >
>>>> > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
>>>> >
>>>> >
>>>> > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>>> >>
>>>> >> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>> >> > I'm fuzzy on how proof of burn works.
>>>> >>
>>>> >> when you burn coins, you burn them to be used at a future particular
>>>> >> block height: so if i'm burning for block 553, i can only use them to
>>>> >> mine block 553. if i have a choice between two chains, one longer
>>>> >> and one shorter, i can only choose one... deterministically, for that
>>>> >> burn: the chain with the height 553. if we fix the "lead time" for
>>>> >> burned coins to be weeks or even months in advance, miners have a very
>>>> >> strong, long-term, investment in the stability of the chain.
>>>> >>
>>>> >> therefore there is no "nothing at stake" problem. it's
>>>> >> deterministic, so miners have no choice. they can *only* choose the
>>>> >> transactions that go into the block. they cannot choose which chain
>>>> >> to mine, and it's time-locked, so rollbacks and instability always
>>>> >> hurt miners the most.
>>>> >>
>>>> >> the "punishment" systems of PoS are "weird at best", certainly
>>>> >> unproven. i can imagine scenarios where large stakeholders can
>>>> >> collude to punish smaller stakeholders simply to drive them out of
>>>> >> business, for example. and then you have to put checks in place to
>>>> >> prevent that, and more checks for those prevention system...
>>>> >>
>>>> >> in PoB, there is no complexity. simpler systems like this are
>>>> >> typically more secure.
>>>> >>
>>>> >> PoB also solves problems caused by "energy dependence", which could
>>>> >> lead to state monopolies on mining (like the new Bitcoin Mining
>>>> >> Council). these consortiums, if state sanctioned, could become a
>>>> >> source of censorship, for example. Since PoB doesn't require you to
>>>> >> have a live, well-connected node, it's harder to censor & harder to
>>>> >> trace.
>>>> >>
>>>> >> Eliminating this weakness seems to be in the best interests of
>>>> >> existing stakeholders
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>> >> >
>>>> >> > > proof of burn clearly solves this, since nothing is held online
>>>> >> >
>>>> >> > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>>>> >> >
>>>> >> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>> >> >
>>>> >> > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>>>> >> >
>>>> >> > > proof of burn can be more secure than proof-of-stake
>>>> >> >
>>>> >> > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>>> >> >>
>>>> >> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>> >> >>
>>>> >> >> proof of burn clearly solves this, since nothing is held online
>>>> >> >>
>>>> >> >> > how does proof of burn solve the "nothing at stake" problem in your view?
>>>> >> >>
>>>> >> >> definition of nothing at stake: in the event of a fork, whether the
>>>> >> >> fork is accidental or a malicious, the optimal strategy for any miner
>>>> >> >> is to mine on every chain, so that the miner gets their reward no
>>>> >> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>>>> >> >> published on the very chains mines, so the incentive is magnified.
>>>> >> >>
>>>> >> >> in proof-of-burn, your burn investment is always "at stake", any
>>>> >> >> redaction can result in a loss-of-burn, because burns can be tied,
>>>> >> >> precisely, to block-heights
>>>> >> >>
>>>> >> >> as a result, miners no longer have an incentive to mine all chains
>>>> >> >>
>>>> >> >> in this way proof of burn can be more secure than proof-of-stake, and
>>>> >> >> even more secure than proof of work
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> >
>>>> >> >>
>>>> >> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>>> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >> >
>>>> >> >> > Hi Billy,
>>>> >> >> >
>>>> >> >> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>>>> >> >> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>>> >> >> >
>>>> >> >> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>>>> >> >> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>>>> >> >> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>>>> >> >> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>>>> >> >> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>>>> >> >> > In PoS systems this clean separation of responsibilities does not exist.
>>>> >> >> >
>>>> >> >> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>>>> >> >> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>>>> >> >> > But the devil is in the detail.
>>>> >> >> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>>>> >> >> >
>>>> >> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>>>> >> >> >
>>>> >> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>>>> >> >> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>>>> >> >> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>>>> >> >> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>>>> >> >> >
>>>> >> >> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>>>> >> >> >
>>>> >> >> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>>>> >> >> >
>>>> >> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>>>> >> >> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>>>> >> >> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>>>> >> >> >
>>>> >> >> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>>>> >> >> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>>>> >> >> > It also grows the size of the blockchain significantly.
>>>> >> >> >
>>>> >> >> > ### "Pure" proof of stake (Algorand)
>>>> >> >> >
>>>> >> >> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>>>> >> >> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>>>> >> >> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>>>> >> >> > Hopefully you've spotted the problem.
>>>> >> >> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>>>> >> >> > Damn it's still Proof-of-SquareSpace!
>>>> >> >> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>>>> >> >> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>>>> >> >> >
>>>> >> >> > ### Conclusion
>>>> >> >> >
>>>> >> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>> >> >> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>>>> >> >> >
>>>> >> >> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>>>> >> >> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>>>> >> >> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>>>> >> >> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>>>> >> >> >
>>>> >> >> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>>>> >> >> >
>>>> >> >> > Would be interested to know if you or others think differently on these points.
>>>> >> >> >
>>>> >> >> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>>> >> >> > [2]: https://staking.staked.us/algorand-staking
>>>> >> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>>>> >> >> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>>> >> >> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>>> >> >> >
>>>> >> >> > Cheers,
>>>> >> >> >
>>>> >> >> > LL
>>>> >> >> >
>>>> >> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >> >>
>>>> >> >> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>>> >> >> >>
>>>> >> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>>>> >> >> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>>>> >> >> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>>>> >> >> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>>>> >> >> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>>> >> >> >>
>>>> >> >> >> > Proof-of-stake tends towards oligopolistic control
>>>> >> >> >>
>>>> >> >> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>>> >> >> >>
>>>> >> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>>> >> >> >>
>>>> >> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>>> >> >> >>
>>>> >> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>>> >> >> >>
>>>> >> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>>> >> >> >>
>>>> >> >> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>>> >> >> >>
>>>> >> >> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>>> >> >> >>
>>>> >> >> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>>> >> >> >>
>>>> >> >> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>>> >> >> >>
>>>> >> >> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>>> >> >> >>
>>>> >> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >> >>>
>>>> >> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>> >> >> >>>
>>>> >> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>> >> >> >>>>
>>>> >> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>> >> >> >>>>
>>>> >> >> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>> >> >> >>>>
>>>> >> >> >>>> Cheers,
>>>> >> >> >>>> Mike
>>>> >> >> >>>>
>>>> >> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> >> >> >>>>>
>>>> >> >> >>>>> 1. i never suggested vdf's to replace pow.
>>>> >> >> >>>>>
>>>> >> >> >>>>> 2. my suggestion was specifically *in the context of* a working
>>>> >> >> >>>>> proof-of-burn protocol
>>>> >> >> >>>>>
>>>> >> >> >>>>> - vdfs used only for timing (not block height)
>>>> >> >> >>>>> - blind-burned coins of a specific age used to replace proof of work
>>>> >> >> >>>>> - the required "work" per block would simply be a competition to
>>>> >> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
>>>> >> >> >>>>> advance, and hope that their burned coins got rewarded in some far
>>>> >> >> >>>>> future
>>>> >> >> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>> >> >> >>>>> value gained from proof of work... without some of the security
>>>> >> >> >>>>> drawbacks
>>>> >> >> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>> >> >> >>>>> losing their work in each block)
>>>> >> >> >>>>> - new burns can't be used
>>>> >> >> >>>>> - old burns age out (like ASICs do)
>>>> >> >> >>>>> - other requirements on burns might be needed to properly mirror the
>>>> >> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>> >> >> >>>>>
>>>> >> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>> >> >> >>>>> might be more secure in the long run, and that if the entire space
>>>> >> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>> >> >> >>>>> up, and a hard-fork could be initiated.
>>>> >> >> >>>>>
>>>> >> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>>>> >> >> >>>>> possible that consensus was possible. so no, this is not an "alt
>>>> >> >> >>>>> coin"
>>>> >> >> >>>>>
>>>> >> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>> >> >> >>>>> >
>>>> >> >> >>>>> > Hi ZmnSCPxj,
>>>> >> >> >>>>> >
>>>> >> >> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>> >> >> >>>>> >
>>>> >> >> >>>>> > Zac
>>>> >> >> >>>>> >
>>>> >> >> >>>>> >
>>>> >> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>> >> >> >>>>> >>
>>>> >> >> >>>>> >> Good morning Zac,
>>>> >> >> >>>>> >>
>>>> >> >> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>> >> >> >>>>> >> >
>>>> >> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>> >> >> >>>>> >> >
>>>> >> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>> >> >> >>>>> >> >
>>>> >> >> >>>>> >> > As a result, variation in block times will be greatly reduced.
>>>> >> >> >>>>> >>
>>>> >> >> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>> >> >> >>>>> >>
>>>> >> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>> >> >> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>> >> >> >>>>> >>
>>>> >> >> >>>>> >> Regards,
>>>> >> >> >>>>> >> ZmnSCPxj
>>>> >> >> >>>>> _______________________________________________
>>>> >> >> >>>>> bitcoin-dev mailing list
>>>> >> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> >> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>> >> >> >>>>
>>>> >> >> >>>>
>>>> >> >> >>>>
>>>> >> >> >>>> --
>>>> >> >> >>>> Michael Dubrovsky
>>>> >> >> >>>> Founder; PoWx
>>>> >> >> >>>> www.PoWx.org
>>>> >> >> >>>
>>>> >> >> >>>
>>>> >> >> >>>
>>>> >> >> >>> --
>>>> >> >> >>> Michael Dubrovsky
>>>> >> >> >>> Founder; PoWx
>>>> >> >> >>> www.PoWx.org
>>>> >> >> >>> _______________________________________________
>>>> >> >> >>> bitcoin-dev mailing list
>>>> >> >> >>> bitcoin-dev@lists.linuxfoundation.org
>>>> >> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>> >> >> >>
>>>> >> >> >> _______________________________________________
>>>> >> >> >> bitcoin-dev mailing list
>>>> >> >> >> bitcoin-dev@lists.linuxfoundation.org
>>>> >> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>> >> >> >
>>>> >> >> > _______________________________________________
>>>> >> >> > bitcoin-dev mailing list
>>>> >> >> > bitcoin-dev@lists.linuxfoundation.org
>>>> >> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-27 10:08 ` Billy Tetrud
2021-05-27 13:11 ` Erik Aronesty
@ 2021-05-28 14:36 ` befreeandopen
1 sibling, 0 replies; 67+ messages in thread
From: befreeandopen @ 2021-05-28 14:36 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 49903 bytes --]
>> using nothing at stake
>
> I see from the way you're using this term now that you mean something completely different by it than I usually understand the phrase. You seem to mean it as that minters can check whether they can mint a block without any cost. By contrast, I generally understand the phrase to mean the problem where there is no cost to broadcasting blocks on many different chains.
"Nothing at stake" is a very good name of the problem we are talking about. It says that certain behavior is possible because there is ... nothing at stake. In PoW, significant energy has to be spent in order to create a valid block. In PoS, because there is minimal amount of energy involved, you can create blocks anywhere if you just follow the consensus rules for their structure. Call it whatever you want, but this is the very core of nothing at stake problem. You can do stuff that you can't do in PoW and it is because there is nothing at stake. If you want to make some arbitrary very narrow definitions of what nothing at stake is so that you can claim your false statement that it is a solved problem, that's I guess an end to our discussion as I am not interested in such nonsense.
>> she gained an extra block over the honest strategy which would only give her block D
>
> I think I see what you're saying now. It actually sounds quite similar to the selfish mining attack in proof of work. However I do acknowledge that the ability to secretly mint on both your secret chain(s) and the public chain makes it worse in PoS. How much worse is something that should be quantified. This is also a solvable problem. Designing a secure system can be kind of like whack a mole. You fix the weakest link in the chain, and there is inevitably now a new weakest link that is stronger than the link you fixed. Bitcoin is no different, as development continues, more security improvements are implemented.
>
> In this case, there's a number of possible solutions, some of which can be combined. Eg you can program all honest clients to mint selfishly. You'd likely need to lengthen the number of blocks that constitute a finalized transaction, but you can probably reduce the block time to compensate, so finalization doesn't actually take longer. You could also require many additional signatures on each block from outside validators.
Here you are just proving my case that "typically, you fix something in PoS by creating a problem elsewhere". This is exactly your "whack a mole" game you want to play, I don't. You've still misunderstood what I described it in my previous email. It has nothing to do with selfish mining. My attacker is not withholding the block from others, she just checks (almost instantly) if she can do better using different chain.
>> How is that relevant to our discussion?
>
> It is relevant because the benefits of proof of stake must be compared to an alternative, and the alternative of reference here is clearly PoW. I'm pointing out that the vulnerability you're describing in the type of PoS you're talking about also exists in what its being compared against. To know whether PoS or PoW is better on this particular aspect, you need to compare the levels of advantage that can be obtained in each, and how this affects the cost of attacking the system. Its not as straight forward as saying "PoS is bad because it has this vulnerability" when the system you compare it to also has a very similar vulnerability. You need to quantify the difference at that point.
Since you do not understand that the described attack has nothing to do with selfish mining, you are wrong here again. Bitcoin does not suffer from the problem of free block building on different parent blocks.
>> the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system
>
> Known by public key, not by IP address.
You believe the analysis of the block origin is a hard problem, I believe contrary. Similar analyzes have been done on Bitcoin in the past. For me these quorum systems are thus not interesting because they are obviously vulnerable.
> However, I do not agree that it is at all misleading to say "nothing at stake is a solved problem" just because solving that specific problem doesn't solve all the problems with proof of stake. Its unreasonable to expect that when someone claims problem X is solved, that it also implies all problems related to X are solved.
No one claimed that. I have described nothing at stake attack that you still don't understand and are unable to solve (without creating a huge problem elsewhere). You are, again, for unknown reason putting words into my mouth that I've not said.
>> I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure.
>
> You were the one that claimed proof of stake cannot be made secure. The burden of proof is on you to support your own claims.
Let me remind you the original text of yours where I entered the debate:
> FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
Again, you are putting words into my mouth that I have not said. This is either intentional deception from you or a great negligence. As you can see, I have entered the debate at the point where you falsely claimed "nothing at stake problem is a solved problem". That is the claim that you are supposed to prove. The burden of proof is on you. This is a very bold claim, contrary to general knowledge in the field, it claims that something that was not possible before is now possible. It is like if I said that "cold fusion" is a solved problem today. You'd say that it is not and I'd say - the burden of proof is on your side as you are claiming that "cold fusion is impossible".
Fortunately, this is not how it works.
>> You have not described a system that would solve it
>
> I would be curious to hear a full critique from you about [this protocol](https://github.com/fresheneesz/ValidatedProofOfStake).
I hope you can understand, that since I revealed great gaps in your technical knowledge, as well as problems in your ability to understand concepts related to PoS, as well as ability to discuss without fallacies (which is very annoying to be honest), I have no intention in spending my time on your creations anymore unless there is a significant community interest in your work, which I think is unlikely, but hey, prove me wrong.
For all above reasons, I will leave you here without further comments as the discussion can no longer be fruitful between us.
> On Wed, May 26, 2021 at 3:12 AM befreeandopen <befreeandopen@protonmail.com> wrote:
>
>>> @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
>>>
>>> 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
>>> 2. They receive a new block minted by someone else.
>>> 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
>>> 4. Profit!
>>>
>>> The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
>>
>> Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
>>
>> I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
>>
>> What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
>>
>>> Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by [at least 1/3rd](https://bitcoinmagazine.com/technical/selfish-mining-a-25-attack-against-the-bitcoin-network-1383578440).
>>
>> How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
>>
>>>> the problem is not as hard as you think
>>>
>>> I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
>>
>> This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
>>
>>>> I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
>>>
>>> I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
>>
>> Perhaps you should quote the full sentence and not just a part of it:
>>
>> "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
>>
>> You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
>> In case of the punishment it was meant to be the not solve it completely part.
>> Also "typically" does not imply always.
>> But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
>>
>>>> As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
>>>
>>> Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
>>
>> This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
>>
>>>> Just because of the above we must reject PoS as being critically insecure
>>>
>>> I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
>>
>> I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
>>
>> Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
>>
>>> On Tue, May 25, 2021 at 11:10 AM befreeandopen <befreeandopen@protonmail.com> wrote:
>>>
>>>>> @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
>>>>>
>>>>> The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the [reasoning here](https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack) for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
>>>>
>>>> This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
>>>>
>>>>>> I am not sure if this is what you call quorum-based PoS
>>>>>
>>>>> Yes, pre-selected minters is exactly what I mean by that.
>>>>>
>>>>>> it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
>>>>>
>>>>> Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
>>>>
>>>> I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
>>>>
>>>>> Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
>>>>
>>>> While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
>>>>
>>>> Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
>>>>
>>>> Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
>>>>
>>>>> So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
>>>>
>>>> It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
>>>>
>>>> Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
>>>>
>>>>> On Tue, May 25, 2021 at 3:00 AM Erik Aronesty <erik@q32.com> wrote:
>>>>>
>>>>>>> > you burn them to be used at a future particular block height
>>>>>>
>>>>>>> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>>>>
>>>>>> could be right. the original idea was to have burns decay over time,
>>>>>> like ASIC's.
>>>>>>
>>>>>> anyway the point was not that "i had a magic formula"
>>>>>>
>>>>>> the point was that proof of burn is almost always better than proof of
>>>>>> stake - simply because the "proof" is on-chain, not sitting on a node
>>>>>> somewhere waiting to be stolen.
>>>>>>
>>>>>> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>>>>>
>>>>>>> Is this the kind of proof of burn you're talking about?
>>>>>>>
>>>>>>> > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
>>>>>>>
>>>>>>> What prevents you from attempting to mine block 553 on both chains?
>>>>>>>
>>>>>>> > miners have a very strong, long-term, investment in the stability of the chain.
>>>>>>>
>>>>>>> Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
>>>>>>>
>>>>>>> > you burn them to be used at a future particular block height
>>>>>>>
>>>>>>> This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
>>>>>>>
>>>>>>> > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
>>>>>>>
>>>>>>> Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
>>>>>>>
>>>>>>>
>>>>>>> On Mon, May 24, 2021 at 11:49 AM Erik Aronesty <erik@q32.com> wrote:
>>>>>>>>
>>>>>>>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>>>>>> > I'm fuzzy on how proof of burn works.
>>>>>>>>
>>>>>>>> when you burn coins, you burn them to be used at a future particular
>>>>>>>> block height: so if i'm burning for block 553, i can only use them to
>>>>>>>> mine block 553. if i have a choice between two chains, one longer
>>>>>>>> and one shorter, i can only choose one... deterministically, for that
>>>>>>>> burn: the chain with the height 553. if we fix the "lead time" for
>>>>>>>> burned coins to be weeks or even months in advance, miners have a very
>>>>>>>> strong, long-term, investment in the stability of the chain.
>>>>>>>>
>>>>>>>> therefore there is no "nothing at stake" problem. it's
>>>>>>>> deterministic, so miners have no choice. they can *only* choose the
>>>>>>>> transactions that go into the block. they cannot choose which chain
>>>>>>>> to mine, and it's time-locked, so rollbacks and instability always
>>>>>>>> hurt miners the most.
>>>>>>>>
>>>>>>>> the "punishment" systems of PoS are "weird at best", certainly
>>>>>>>> unproven. i can imagine scenarios where large stakeholders can
>>>>>>>> collude to punish smaller stakeholders simply to drive them out of
>>>>>>>> business, for example. and then you have to put checks in place to
>>>>>>>> prevent that, and more checks for those prevention system...
>>>>>>>>
>>>>>>>> in PoB, there is no complexity. simpler systems like this are
>>>>>>>> typically more secure.
>>>>>>>>
>>>>>>>> PoB also solves problems caused by "energy dependence", which could
>>>>>>>> lead to state monopolies on mining (like the new Bitcoin Mining
>>>>>>>> Council). these consortiums, if state sanctioned, could become a
>>>>>>>> source of censorship, for example. Since PoB doesn't require you to
>>>>>>>> have a live, well-connected node, it's harder to censor & harder to
>>>>>>>> trace.
>>>>>>>>
>>>>>>>> Eliminating this weakness seems to be in the best interests of
>>>>>>>> existing stakeholders
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
>>>>>>>> >
>>>>>>>> > > proof of burn clearly solves this, since nothing is held online
>>>>>>>> >
>>>>>>>> > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
>>>>>>>> >
>>>>>>>> > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
>>>>>>>> >
>>>>>>>> > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
>>>>>>>> >
>>>>>>>> > > proof of burn can be more secure than proof-of-stake
>>>>>>>> >
>>>>>>>> > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty <erik@q32.com> wrote:
>>>>>>>> >>
>>>>>>>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>>>>>> >>
>>>>>>>> >> proof of burn clearly solves this, since nothing is held online
>>>>>>>> >>
>>>>>>>> >> > how does proof of burn solve the "nothing at stake" problem in your view?
>>>>>>>> >>
>>>>>>>> >> definition of nothing at stake: in the event of a fork, whether the
>>>>>>>> >> fork is accidental or a malicious, the optimal strategy for any miner
>>>>>>>> >> is to mine on every chain, so that the miner gets their reward no
>>>>>>>> >> matter which fork wins. indeed in proof-of-stake, the proofs are
>>>>>>>> >> published on the very chains mines, so the incentive is magnified.
>>>>>>>> >>
>>>>>>>> >> in proof-of-burn, your burn investment is always "at stake", any
>>>>>>>> >> redaction can result in a loss-of-burn, because burns can be tied,
>>>>>>>> >> precisely, to block-heights
>>>>>>>> >>
>>>>>>>> >> as a result, miners no longer have an incentive to mine all chains
>>>>>>>> >>
>>>>>>>> >> in this way proof of burn can be more secure than proof-of-stake, and
>>>>>>>> >> even more secure than proof of work
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >>
>>>>>>>> >> >
>>>>>>>> >>
>>>>>>>> >> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>>>>>>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>>>> >> >
>>>>>>>> >> > Hi Billy,
>>>>>>>> >> >
>>>>>>>> >> > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
>>>>>>>> >> > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
>>>>>>>> >> >
>>>>>>>> >> > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
>>>>>>>> >> > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
>>>>>>>> >> > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
>>>>>>>> >> > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
>>>>>>>> >> > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
>>>>>>>> >> > In PoS systems this clean separation of responsibilities does not exist.
>>>>>>>> >> >
>>>>>>>> >> > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
>>>>>>>> >> > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
>>>>>>>> >> > But the devil is in the detail.
>>>>>>>> >> > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
>>>>>>>> >> >
>>>>>>>> >> > ### Proof of SquareSpace (Cardano, Polkdadot)
>>>>>>>> >> >
>>>>>>>> >> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt on-chain delegation system[5].
>>>>>>>> >> > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
>>>>>>>> >> > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
>>>>>>>> >> > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
>>>>>>>> >> >
>>>>>>>> >> > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
>>>>>>>> >> >
>>>>>>>> >> > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and *you never help create a block without seeing it first*.
>>>>>>>> >> >
>>>>>>>> >> > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
>>>>>>>> >> > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
>>>>>>>> >> > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
>>>>>>>> >> >
>>>>>>>> >> > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
>>>>>>>> >> > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
>>>>>>>> >> > It also grows the size of the blockchain significantly.
>>>>>>>> >> >
>>>>>>>> >> > ### "Pure" proof of stake (Algorand)
>>>>>>>> >> >
>>>>>>>> >> > Algorand's[4] approach is to only allow online stake to participate in the protocol.
>>>>>>>> >> > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
>>>>>>>> >> > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"[1] that will be used to create blocks on your coin holding key's behalf.
>>>>>>>> >> > Hopefully you've spotted the problem.
>>>>>>>> >> > You can send your participation keys to any malicious party with a nice website (see random example [2]) offering you a good return.
>>>>>>>> >> > Damn it's still Proof-of-SquareSpace!
>>>>>>>> >> > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
>>>>>>>> >> > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
>>>>>>>> >> >
>>>>>>>> >> > ### Conclusion
>>>>>>>> >> >
>>>>>>>> >> > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
>>>>>>>> >> > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
>>>>>>>> >> >
>>>>>>>> >> > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
>>>>>>>> >> > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
>>>>>>>> >> > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
>>>>>>>> >> > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
>>>>>>>> >> >
>>>>>>>> >> > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
>>>>>>>> >> >
>>>>>>>> >> > Would be interested to know if you or others think differently on these points.
>>>>>>>> >> >
>>>>>>>> >> > [1]: https://developer.algorand.org/docs/run-a-node/participate/generate_keys/
>>>>>>>> >> > [2]: https://staking.staked.us/algorand-staking
>>>>>>>> >> > [3]: https://eprint.iacr.org/2017/573.pdf
>>>>>>>> >> > [4]: https://algorandcom.cdn.prismic.io/algorandcom%2Fece77f38-75b3-44de-bc7f-805f0e53a8d9_theoretical.pdf
>>>>>>>> >> > [5]: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
>>>>>>>> >> >
>>>>>>>> >> > Cheers,
>>>>>>>> >> >
>>>>>>>> >> > LL
>>>>>>>> >> >
>>>>>>>> >> > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>>>> >> >>
>>>>>>>> >> >> I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) *without* compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
>>>>>>>> >> >>
>>>>>>>> >> >> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
>>>>>>>> >> >> * The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
>>>>>>>> >> >> * The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
>>>>>>>> >> >> * The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
>>>>>>>> >> >> * Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
>>>>>>>> >> >>
>>>>>>>> >> >> > Proof-of-stake tends towards oligopolistic control
>>>>>>>> >> >>
>>>>>>>> >> >> People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
>>>>>>>> >> >>
>>>>>>>> >> >> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>>>>>>>> >> >>
>>>>>>>> >> >> I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
>>>>>>>> >> >>
>>>>>>>> >> >> > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>>>>>>>> >> >>
>>>>>>>> >> >> I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
>>>>>>>> >> >>
>>>>>>>> >> >> > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
>>>>>>>> >> >>
>>>>>>>> >> >> Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
>>>>>>>> >> >>
>>>>>>>> >> >> > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
>>>>>>>> >> >>
>>>>>>>> >> >> This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
>>>>>>>> >> >>
>>>>>>>> >> >> > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
>>>>>>>> >> >>
>>>>>>>> >> >> Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
>>>>>>>> >> >>
>>>>>>>> >> >>
>>>>>>>> >> >> On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>>>> >> >>>
>>>>>>>> >> >>> Ah sorry, I didn't realize this was, in fact, a different thread! :)
>>>>>>>> >> >>>
>>>>>>>> >> >>> On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky <mike@powx.org> wrote:
>>>>>>>> >> >>>>
>>>>>>>> >> >>>> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
>>>>>>>> >> >>>>
>>>>>>>> >> >>>> Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>>>>>>>> >> >>>>
>>>>>>>> >> >>>> Cheers,
>>>>>>>> >> >>>> Mike
>>>>>>>> >> >>>>
>>>>>>>> >> >>>> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>>>>> >> >>>>>
>>>>>>>> >> >>>>> 1. i never suggested vdf's to replace pow.
>>>>>>>> >> >>>>>
>>>>>>>> >> >>>>> 2. my suggestion was specifically *in the context of* a working
>>>>>>>> >> >>>>> proof-of-burn protocol
>>>>>>>> >> >>>>>
>>>>>>>> >> >>>>> - vdfs used only for timing (not block height)
>>>>>>>> >> >>>>> - blind-burned coins of a specific age used to replace proof of work
>>>>>>>> >> >>>>> - the required "work" per block would simply be a competition to
>>>>>>>> >> >>>>> acquire rewards, and so miners would have to burn coins, well in
>>>>>>>> >> >>>>> advance, and hope that their burned coins got rewarded in some far
>>>>>>>> >> >>>>> future
>>>>>>>> >> >>>>> - the point of burned coins is to mimic, in every meaningful way, the
>>>>>>>> >> >>>>> value gained from proof of work... without some of the security
>>>>>>>> >> >>>>> drawbacks
>>>>>>>> >> >>>>> - the miner risks losing all of his burned coins (like all miners risk
>>>>>>>> >> >>>>> losing their work in each block)
>>>>>>>> >> >>>>> - new burns can't be used
>>>>>>>> >> >>>>> - old burns age out (like ASICs do)
>>>>>>>> >> >>>>> - other requirements on burns might be needed to properly mirror the
>>>>>>>> >> >>>>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>>>>>>> >> >>>>>
>>>>>>>> >> >>>>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>>>>>>>> >> >>>>> might be more secure in the long run, and that if the entire space
>>>>>>>> >> >>>>> agreed that such an endeavor was worthwhile, a test net could be spun
>>>>>>>> >> >>>>> up, and a hard-fork could be initiated.
>>>>>>>> >> >>>>>
>>>>>>>> >> >>>>> 4. i would never suggest such a thing unless i believed it was
>>>>>>>> >> >>>>> possible that consensus was possible. so no, this is not an "alt
>>>>>>>> >> >>>>> coin"
>>>>>>>> >> >>>>>
>>>>>>>> >> >>>>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood <zachgrw@gmail.com> wrote:
>>>>>>>> >> >>>>> >
>>>>>>>> >> >>>>> > Hi ZmnSCPxj,
>>>>>>>> >> >>>>> >
>>>>>>>> >> >>>>> > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
>>>>>>>> >> >>>>> >
>>>>>>>> >> >>>>> > Zac
>>>>>>>> >> >>>>> >
>>>>>>>> >> >>>>> >
>>>>>>>> >> >>>>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>>>>>>>> >> >>>>> >>
>>>>>>>> >> >>>>> >> Good morning Zac,
>>>>>>>> >> >>>>> >>
>>>>>>>> >> >>>>> >> > VDFs might enable more constant block times, for instance by having a two-step PoW:
>>>>>>>> >> >>>>> >> >
>>>>>>>> >> >>>>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
>>>>>>>> >> >>>>> >> >
>>>>>>>> >> >>>>> >> > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
>>>>>>>> >> >>>>> >> >
>>>>>>>> >> >>>>> >> > As a result, variation in block times will be greatly reduced.
>>>>>>>> >> >>>>> >>
>>>>>>>> >> >>>>> >> As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
>>>>>>>> >> >>>>> >>
>>>>>>>> >> >>>>> >> Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even *worse* competition and even *more* energy consumption.
>>>>>>>> >> >>>>> >> After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where *only you* can mine *in the entire world*.
>>>>>>>> >> >>>>> >>
>>>>>>>> >> >>>>> >> Regards,
>>>>>>>> >> >>>>> >> ZmnSCPxj
>>>>>>>> >> >>>>> _______________________________________________
>>>>>>>> >> >>>>> bitcoin-dev mailing list
>>>>>>>> >> >>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>>>>> >> >>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>>> >> >>>>
>>>>>>>> >> >>>>
>>>>>>>> >> >>>>
>>>>>>>> >> >>>> --
>>>>>>>> >> >>>> Michael Dubrovsky
>>>>>>>> >> >>>> Founder; PoWx
>>>>>>>> >> >>>> www.PoWx.org
>>>>>>>> >> >>>
>>>>>>>> >> >>>
>>>>>>>> >> >>>
>>>>>>>> >> >>> --
>>>>>>>> >> >>> Michael Dubrovsky
>>>>>>>> >> >>> Founder; PoWx
>>>>>>>> >> >>> www.PoWx.org
>>>>>>>> >> >>> _______________________________________________
>>>>>>>> >> >>> bitcoin-dev mailing list
>>>>>>>> >> >>> bitcoin-dev@lists.linuxfoundation.org
>>>>>>>> >> >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>>> >> >>
>>>>>>>> >> >> _______________________________________________
>>>>>>>> >> >> bitcoin-dev mailing list
>>>>>>>> >> >> bitcoin-dev@lists.linuxfoundation.org
>>>>>>>> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>>>> >> >
>>>>>>>> >> > _______________________________________________
>>>>>>>> >> > bitcoin-dev mailing list
>>>>>>>> >> > bitcoin-dev@lists.linuxfoundation.org
>>>>>>>> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 64935 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-26 22:07 ` Erik Aronesty
@ 2021-05-28 14:40 ` befreeandopen
2021-05-28 20:06 ` Erik Aronesty
0 siblings, 1 reply; 67+ messages in thread
From: befreeandopen @ 2021-05-28 14:40 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it interesting up until now. Some of your recent claims seem quite strong to me and I'd like to read more.
Forgive me if this has been mentioned recently, but is there a full specification of the concept you are referring to? I don't mean just the basic idea description (that much is clear to me), I mean a fully detailed proposal or technical documentation that would give me a precise information about what exactly it is that you are talking about.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty <erik@q32.com> wrote:
> note: the "nothing at stake" problem you propose is not broken for
> proof-of-burn, because the attacker
>
> a) has no idea which past transactions are burns
> b) has no way to use his mining power, even 5%, to maliciously improve
> his odds of being selected
>
> On Wed, May 26, 2021 at 9:12 AM befreeandopen
> befreeandopen@protonmail.com wrote:
>
> > @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
> >
> > 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> > 2. They receive a new block minted by someone else.
> > 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> > 4. Profit!
> >
> > The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
> > Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
> > I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
> > What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> > Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
> >
> > > the problem is not as hard as you think
> >
> > I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
> > This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
> >
> > > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
> >
> > I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
> > Perhaps you should quote the full sentence and not just a part of it:
> > "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
> > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> > In case of the punishment it was meant to be the not solve it completely part.
> > Also "typically" does not imply always.
> > But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
> >
> > > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
> >
> > Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
> > This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
> >
> > > Just because of the above we must reject PoS as being critically insecure
> >
> > I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
> > I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
> > Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> > On Tue, May 25, 2021 at 11:10 AM befreeandopen befreeandopen@protonmail.com wrote:
> >
> > > @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
> > > The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
> > > This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
> > >
> > > > I am not sure if this is what you call quorum-based PoS
> > >
> > > Yes, pre-selected minters is exactly what I mean by that.
> > >
> > > > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
> > >
> > > Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
> > > I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> > > Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
> > > While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
> > > Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
> > > Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> > > So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
> > > It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
> > > Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > >
> > > > > > you burn them to be used at a future particular block height
> > > >
> > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > >
> > > > could be right. the original idea was to have burns decay over time,
> > > > like ASIC's.
> > > > anyway the point was not that "i had a magic formula"
> > > > the point was that proof of burn is almost always better than proof of
> > > > stake - simply because the "proof" is on-chain, not sitting on a node
> > > > somewhere waiting to be stolen.
> > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > >
> > > > > Is this the kind of proof of burn you're talking about?
> > > > >
> > > > > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
> > > > >
> > > > > What prevents you from attempting to mine block 553 on both chains?
> > > > >
> > > > > > miners have a very strong, long-term, investment in the stability of the chain.
> > > > >
> > > > > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
> > > > >
> > > > > > you burn them to be used at a future particular block height
> > > > >
> > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > >
> > > > > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
> > > > >
> > > > > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
> > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com wrote:
> > > > >
> > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > >
> > > > > > when you burn coins, you burn them to be used at a future particular
> > > > > > block height: so if i'm burning for block 553, i can only use them to
> > > > > > mine block 553. if i have a choice between two chains, one longer
> > > > > > and one shorter, i can only choose one... deterministically, for that
> > > > > > burn: the chain with the height 553. if we fix the "lead time" for
> > > > > > burned coins to be weeks or even months in advance, miners have a very
> > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > deterministic, so miners have no choice. they can only choose the
> > > > > > transactions that go into the block. they cannot choose which chain
> > > > > > to mine, and it's time-locked, so rollbacks and instability always
> > > > > > hurt miners the most.
> > > > > > the "punishment" systems of PoS are "weird at best", certainly
> > > > > > unproven. i can imagine scenarios where large stakeholders can
> > > > > > collude to punish smaller stakeholders simply to drive them out of
> > > > > > business, for example. and then you have to put checks in place to
> > > > > > prevent that, and more checks for those prevention system...
> > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > typically more secure.
> > > > > > PoB also solves problems caused by "energy dependence", which could
> > > > > > lead to state monopolies on mining (like the new Bitcoin Mining
> > > > > > Council). these consortiums, if state sanctioned, could become a
> > > > > > source of censorship, for example. Since PoB doesn't require you to
> > > > > > have a live, well-connected node, it's harder to censor & harder to
> > > > > > trace.
> > > > > > Eliminating this weakness seems to be in the best interests of
> > > > > > existing stakeholders
> > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > >
> > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > >
> > > > > > > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
> > > > > > >
> > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > >
> > > > > > > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > >
> > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > >
> > > > > > > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
> > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com wrote:
> > > > > > >
> > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > >
> > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > >
> > > > > > > > > how does proof of burn solve the "nothing at stake" problem in your view?
> > > > > > > >
> > > > > > > > definition of nothing at stake: in the event of a fork, whether the
> > > > > > > > fork is accidental or a malicious, the optimal strategy for any miner
> > > > > > > > is to mine on every chain, so that the miner gets their reward no
> > > > > > > > matter which fork wins. indeed in proof-of-stake, the proofs are
> > > > > > > > published on the very chains mines, so the incentive is magnified.
> > > > > > > > in proof-of-burn, your burn investment is always "at stake", any
> > > > > > > > redaction can result in a loss-of-burn, because burns can be tied,
> > > > > > > > precisely, to block-heights
> > > > > > > > as a result, miners no longer have an incentive to mine all chains
> > > > > > > > in this way proof of burn can be more secure than proof-of-stake, and
> > > > > > > > even more secure than proof of work
> > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > >
> > > > > > > > > Hi Billy,
> > > > > > > > > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> > > > > > > > > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> > > > > > > > > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> > > > > > > > > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> > > > > > > > > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> > > > > > > > > In PoS systems this clean separation of responsibilities does not exist.
> > > > > > > > > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> > > > > > > > > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > But the devil is in the detail.
> > > > > > > > > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
> > > > > > > > >
> > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > >
> > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> > > > > > > > > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
> > > > > > > > >
> > > > > > > > > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
> > > > > > > > >
> > > > > > > > > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and you never help create a block without seeing it first.
> > > > > > > > >
> > > > > > > > > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> > > > > > > > > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> > > > > > > > > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> > > > > > > > > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > >
> > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > >
> > > > > > > > > Algorand's4 approach is to only allow online stake to participate in the protocol.
> > > > > > > > > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> > > > > > > > > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"1 that will be used to create blocks on your coin holding key's behalf.
> > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > You can send your participation keys to any malicious party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> > > > > > > > > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
> > > > > > > > >
> > > > > > > > > ### Conclusion
> > > > > > > > >
> > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> > > > > > > > > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> > > > > > > > > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> > > > > > > > > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
> > > > > > > > > Would be interested to know if you or others think differently on these points.
> > > > > > > > > Cheers,
> > > > > > > > > LL
> > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > >
> > > > > > > > > > I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) without compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
> > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> > > > > > > > > >
> > > > > > > > > > - The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> > > > > > > > > > - The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> > > > > > > > > > - The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > - Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
> > > > > > > > > >
> > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > >
> > > > > > > > > > People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
> > > > > > > > > >
> > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> > > > > > > > > >
> > > > > > > > > > I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > >
> > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> > > > > > > > > >
> > > > > > > > > > I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> > > > > > > > > >
> > > > > > > > > > > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
> > > > > > > > > >
> > > > > > > > > > Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > >
> > > > > > > > > > > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
> > > > > > > > > >
> > > > > > > > > > This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
> > > > > > > > > >
> > > > > > > > > > > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
> > > > > > > > > >
> > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
> > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > >
> > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a different thread! :)
> > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky mike@powx.org wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
> > > > > > > > > > > > Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> > > > > > > > > > > > Cheers,
> > > > > > > > > > > > Mike
> > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > >
> > > > > > > > > > > > > 2. my suggestion was specifically in the context of a working
> > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > - vdfs used only for timing (not block height)
> > > > > > > > > > > > > - blind-burned coins of a specific age used to replace proof of work
> > > > > > > > > > > > > - the required "work" per block would simply be a competition to
> > > > > > > > > > > > > acquire rewards, and so miners would have to burn coins, well in
> > > > > > > > > > > > > advance, and hope that their burned coins got rewarded in some far
> > > > > > > > > > > > > future
> > > > > > > > > > > > >
> > > > > > > > > > > > > - the point of burned coins is to mimic, in every meaningful way, the
> > > > > > > > > > > > > value gained from proof of work... without some of the security
> > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > >
> > > > > > > > > > > > > - the miner risks losing all of his burned coins (like all miners risk
> > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > >
> > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > - other requirements on burns might be needed to properly mirror the
> > > > > > > > > > > > > properties of PoW and the incentives Bitcoin uses to mine honestly.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > 3. i do believe it is possible that a "burned coin + vdf system"
> > > > > > > > > > > > > might be more secure in the long run, and that if the entire space
> > > > > > > > > > > > > agreed that such an endeavor was worthwhile, a test net could be spun
> > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > >
> > > > > > > > > > > > > 4. i would never suggest such a thing unless i believed it was
> > > > > > > > > > > > > possible that consensus was possible. so no, this is not an "alt
> > > > > > > > > > > > > coin"
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood zachgrw@gmail.com wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
> > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > VDFs might enable more constant block times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > As a result, variation in block times will be greatly reduced.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even worse competition and even more energy consumption.
> > > > > > > > > > > > > > > After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where only you can mine in the entire world.
> > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > >
> > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > www.PoWx.org
> > > > > > > > > > >
> > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > >
> > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > >
> > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-28 14:40 ` befreeandopen
@ 2021-05-28 20:06 ` Erik Aronesty
2021-05-28 21:40 ` Billy Tetrud
2021-06-01 8:21 ` befreeandopen
0 siblings, 2 replies; 67+ messages in thread
From: Erik Aronesty @ 2021-05-28 20:06 UTC (permalink / raw)
To: befreeandopen; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
best writeup i know of is here:
https://en.bitcoin.it/wiki/Proof_of_burn
no formal proposals or proofs that i know of.
On Fri, May 28, 2021 at 10:40 AM befreeandopen
<befreeandopen@protonmail.com> wrote:
>
> Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it interesting up until now. Some of your recent claims seem quite strong to me and I'd like to read more.
>
> Forgive me if this has been mentioned recently, but is there a full specification of the concept you are referring to? I don't mean just the basic idea description (that much is clear to me), I mean a fully detailed proposal or technical documentation that would give me a precise information about what exactly it is that you are talking about.
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty <erik@q32.com> wrote:
>
> > note: the "nothing at stake" problem you propose is not broken for
> > proof-of-burn, because the attacker
> >
> > a) has no idea which past transactions are burns
> > b) has no way to use his mining power, even 5%, to maliciously improve
> > his odds of being selected
> >
> > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > befreeandopen@protonmail.com wrote:
> >
> > > @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
> > >
> > > 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> > > 2. They receive a new block minted by someone else.
> > > 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> > > 4. Profit!
> > >
> > > The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
> > > Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
> > > I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
> > > What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> > > Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > > How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
> > >
> > > > the problem is not as hard as you think
> > >
> > > I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
> > > This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
> > >
> > > > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
> > >
> > > I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
> > > Perhaps you should quote the full sentence and not just a part of it:
> > > "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
> > > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> > > In case of the punishment it was meant to be the not solve it completely part.
> > > Also "typically" does not imply always.
> > > But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
> > >
> > > > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
> > >
> > > Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
> > > This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
> > >
> > > > Just because of the above we must reject PoS as being critically insecure
> > >
> > > I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
> > > I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
> > > Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> > > On Tue, May 25, 2021 at 11:10 AM befreeandopen befreeandopen@protonmail.com wrote:
> > >
> > > > @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
> > > > The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
> > > > This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
> > > >
> > > > > I am not sure if this is what you call quorum-based PoS
> > > >
> > > > Yes, pre-selected minters is exactly what I mean by that.
> > > >
> > > > > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
> > > >
> > > > Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
> > > > I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> > > > Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
> > > > While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
> > > > Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
> > > > Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> > > > So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
> > > > It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
> > > > Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> > > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > > >
> > > > > > > you burn them to be used at a future particular block height
> > > > >
> > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > >
> > > > > could be right. the original idea was to have burns decay over time,
> > > > > like ASIC's.
> > > > > anyway the point was not that "i had a magic formula"
> > > > > the point was that proof of burn is almost always better than proof of
> > > > > stake - simply because the "proof" is on-chain, not sitting on a node
> > > > > somewhere waiting to be stolen.
> > > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > >
> > > > > > Is this the kind of proof of burn you're talking about?
> > > > > >
> > > > > > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
> > > > > >
> > > > > > What prevents you from attempting to mine block 553 on both chains?
> > > > > >
> > > > > > > miners have a very strong, long-term, investment in the stability of the chain.
> > > > > >
> > > > > > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
> > > > > >
> > > > > > > you burn them to be used at a future particular block height
> > > > > >
> > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > >
> > > > > > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
> > > > > >
> > > > > > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
> > > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com wrote:
> > > > > >
> > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > > >
> > > > > > > when you burn coins, you burn them to be used at a future particular
> > > > > > > block height: so if i'm burning for block 553, i can only use them to
> > > > > > > mine block 553. if i have a choice between two chains, one longer
> > > > > > > and one shorter, i can only choose one... deterministically, for that
> > > > > > > burn: the chain with the height 553. if we fix the "lead time" for
> > > > > > > burned coins to be weeks or even months in advance, miners have a very
> > > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > > deterministic, so miners have no choice. they can only choose the
> > > > > > > transactions that go into the block. they cannot choose which chain
> > > > > > > to mine, and it's time-locked, so rollbacks and instability always
> > > > > > > hurt miners the most.
> > > > > > > the "punishment" systems of PoS are "weird at best", certainly
> > > > > > > unproven. i can imagine scenarios where large stakeholders can
> > > > > > > collude to punish smaller stakeholders simply to drive them out of
> > > > > > > business, for example. and then you have to put checks in place to
> > > > > > > prevent that, and more checks for those prevention system...
> > > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > > typically more secure.
> > > > > > > PoB also solves problems caused by "energy dependence", which could
> > > > > > > lead to state monopolies on mining (like the new Bitcoin Mining
> > > > > > > Council). these consortiums, if state sanctioned, could become a
> > > > > > > source of censorship, for example. Since PoB doesn't require you to
> > > > > > > have a live, well-connected node, it's harder to censor & harder to
> > > > > > > trace.
> > > > > > > Eliminating this weakness seems to be in the best interests of
> > > > > > > existing stakeholders
> > > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > >
> > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > >
> > > > > > > > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
> > > > > > > >
> > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > >
> > > > > > > > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > > >
> > > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > > >
> > > > > > > > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
> > > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > >
> > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > >
> > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > >
> > > > > > > > > > how does proof of burn solve the "nothing at stake" problem in your view?
> > > > > > > > >
> > > > > > > > > definition of nothing at stake: in the event of a fork, whether the
> > > > > > > > > fork is accidental or a malicious, the optimal strategy for any miner
> > > > > > > > > is to mine on every chain, so that the miner gets their reward no
> > > > > > > > > matter which fork wins. indeed in proof-of-stake, the proofs are
> > > > > > > > > published on the very chains mines, so the incentive is magnified.
> > > > > > > > > in proof-of-burn, your burn investment is always "at stake", any
> > > > > > > > > redaction can result in a loss-of-burn, because burns can be tied,
> > > > > > > > > precisely, to block-heights
> > > > > > > > > as a result, miners no longer have an incentive to mine all chains
> > > > > > > > > in this way proof of burn can be more secure than proof-of-stake, and
> > > > > > > > > even more secure than proof of work
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> > > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > >
> > > > > > > > > > Hi Billy,
> > > > > > > > > > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> > > > > > > > > > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> > > > > > > > > > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> > > > > > > > > > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> > > > > > > > > > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> > > > > > > > > > In PoS systems this clean separation of responsibilities does not exist.
> > > > > > > > > > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> > > > > > > > > > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > > But the devil is in the detail.
> > > > > > > > > > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
> > > > > > > > > >
> > > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > > >
> > > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> > > > > > > > > > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
> > > > > > > > > >
> > > > > > > > > > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
> > > > > > > > > >
> > > > > > > > > > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and you never help create a block without seeing it first.
> > > > > > > > > >
> > > > > > > > > > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> > > > > > > > > > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> > > > > > > > > > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> > > > > > > > > > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> > > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > > >
> > > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > > >
> > > > > > > > > > Algorand's4 approach is to only allow online stake to participate in the protocol.
> > > > > > > > > > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> > > > > > > > > > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"1 that will be used to create blocks on your coin holding key's behalf.
> > > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > > You can send your participation keys to any malicious party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> > > > > > > > > > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
> > > > > > > > > >
> > > > > > > > > > ### Conclusion
> > > > > > > > > >
> > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> > > > > > > > > > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> > > > > > > > > > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> > > > > > > > > > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
> > > > > > > > > > Would be interested to know if you or others think differently on these points.
> > > > > > > > > > Cheers,
> > > > > > > > > > LL
> > > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > >
> > > > > > > > > > > I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) without compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
> > > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> > > > > > > > > > >
> > > > > > > > > > > - The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> > > > > > > > > > > - The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> > > > > > > > > > > - The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > > - Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
> > > > > > > > > > >
> > > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > > >
> > > > > > > > > > > People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
> > > > > > > > > > >
> > > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> > > > > > > > > > >
> > > > > > > > > > > I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > > >
> > > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> > > > > > > > > > >
> > > > > > > > > > > I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> > > > > > > > > > >
> > > > > > > > > > > > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
> > > > > > > > > > >
> > > > > > > > > > > Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > > >
> > > > > > > > > > > > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
> > > > > > > > > > >
> > > > > > > > > > > This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
> > > > > > > > > > >
> > > > > > > > > > > > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
> > > > > > > > > > >
> > > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
> > > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a different thread! :)
> > > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky mike@powx.org wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
> > > > > > > > > > > > > Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > Mike
> > > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 2. my suggestion was specifically in the context of a working
> > > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - vdfs used only for timing (not block height)
> > > > > > > > > > > > > > - blind-burned coins of a specific age used to replace proof of work
> > > > > > > > > > > > > > - the required "work" per block would simply be a competition to
> > > > > > > > > > > > > > acquire rewards, and so miners would have to burn coins, well in
> > > > > > > > > > > > > > advance, and hope that their burned coins got rewarded in some far
> > > > > > > > > > > > > > future
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - the point of burned coins is to mimic, in every meaningful way, the
> > > > > > > > > > > > > > value gained from proof of work... without some of the security
> > > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - the miner risks losing all of his burned coins (like all miners risk
> > > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > > - other requirements on burns might be needed to properly mirror the
> > > > > > > > > > > > > > properties of PoW and the incentives Bitcoin uses to mine honestly.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 3. i do believe it is possible that a "burned coin + vdf system"
> > > > > > > > > > > > > > might be more secure in the long run, and that if the entire space
> > > > > > > > > > > > > > agreed that such an endeavor was worthwhile, a test net could be spun
> > > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 4. i would never suggest such a thing unless i believed it was
> > > > > > > > > > > > > > possible that consensus was possible. so no, this is not an "alt
> > > > > > > > > > > > > > coin"
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood zachgrw@gmail.com wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
> > > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > VDFs might enable more constant block times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > As a result, variation in block times will be greatly reduced.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > > Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even worse competition and even more energy consumption.
> > > > > > > > > > > > > > > > After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where only you can mine in the entire world.
> > > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > >
> > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > >
> > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > >
> > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-28 20:06 ` Erik Aronesty
@ 2021-05-28 21:40 ` Billy Tetrud
2021-06-01 8:21 ` befreeandopen
1 sibling, 0 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-05-28 21:40 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh
[-- Attachment #1: Type: text/plain, Size: 47948 bytes --]
@befreeandopen "If you want to make some arbitrary very narrow
definitions of what nothing at stake is so that you can claim your false
statement that it is a solved problem"
Wow, you are really unnecessarily hostile. This isn't r/bitcoin my friend.
Please assume some good faith. I simply pointed out my misunderstanding.
But it sounds like you're not willing to explain yourself clearly nor
actually have a reasoned discussion and prefer to insult me. So I think our
conversation is indeed over.
On Fri, May 28, 2021 at 10:06 AM Erik Aronesty <erik@q32.com> wrote:
> best writeup i know of is here:
>
> https://en.bitcoin.it/wiki/Proof_of_burn
>
> no formal proposals or proofs that i know of.
>
> On Fri, May 28, 2021 at 10:40 AM befreeandopen
> <befreeandopen@protonmail.com> wrote:
> >
> > Erik, I am sorry, I have little knowledge about proof-of-burn, I never
> found it interesting up until now. Some of your recent claims seem quite
> strong to me and I'd like to read more.
> >
> > Forgive me if this has been mentioned recently, but is there a full
> specification of the concept you are referring to? I don't mean just the
> basic idea description (that much is clear to me), I mean a fully detailed
> proposal or technical documentation that would give me a precise
> information about what exactly it is that you are talking about.
> >
> >
> > Sent with ProtonMail Secure Email.
> >
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty <erik@q32.com> wrote:
> >
> > > note: the "nothing at stake" problem you propose is not broken for
> > > proof-of-burn, because the attacker
> > >
> > > a) has no idea which past transactions are burns
> > > b) has no way to use his mining power, even 5%, to maliciously improve
> > > his odds of being selected
> > >
> > > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > > befreeandopen@protonmail.com wrote:
> > >
> > > > @befreeandopen I guess I misunderstood your selfish minting attack.
> Let me make sure I understand it. You're saying it would go as follows?:
> > > >
> > > > 1. The malicious actor comes across an opportunity to mint the next
> 3 blocks. But they hold off and don't release their blocks just yet.
> > > > 2. They receive a new block minted by someone else.
> > > > 3. The malicious actor then chooses to release their other 2 blocks
> on on the second from the top block if it gives them more blocks in the
> future than minting on the top block. And instead lets the top block
> proceed if it gives them more blocks in the future (also figuring in the 3
> blocks they're missing out on minting).
> > > > 4. Profit!
> > > >
> > > > The problem with this attack is that any self respecting PoS system
> wouldn't have the information available for minters to know how blocks will
> affect their future prospects of minting. Otherwise this would introduce
> the problem of stake grinding. This can be done using collaborative
> randomness (where numbers from many parties are combined to create a random
> number that no individual party could predict). In fact, that's what the
> Casper protocol does to decide quorums. In a non quorum case, you can do
> something like record a hash of a number in the block header, and then have
> a second step to release that number later. Rewards can be given can be
> used to ensure minters act honestly here by minting messages that release
> these numbers and not releasing their secret numbers too early.
> > > > Yes, you misunderstood it. First, let me say that the above thoughts
> of yours are incorrect, at least for non-quorum case. Since the transition
> in the blockchain system from S1 to S2 is only by adding new block, and
> since stakers always need to be able to decide whether or not they can add
> the next block, it follows that if a staker creates a new block locally,
> she can decide whether the new state allows her to add another block on
> top. As you mentioned, this COULD introduce problem of staking, that you
> are incorrect in that it is a necessity. Usual prevention of the grinding
> problem in this case is that an "old enough" source of randomness applies
> for the current block production process. Of course this, as it is typical
> for PoS, introduces other problems, but let's discard those.
> > > > I will try to explain in detail what you misunderstood before. You
> start with a chain ending with blocks A-B-C, C being the top, the common
> feature of PoS system (non-quorum), roughly speaking, is that if N is the
> total amount of coins that participate in the staking process to create a
> new block on top of C (let's call that D), then a participant having K*N
> amount of stake has chance K to be the one who will create the next stake.
> In other words, the power of stakers is supposed to be linear in the system
> - you own 10 coins gives you 10x the chance of finding block over someone
> who has 1 coin.
> > > > What i was claiming is that using the technique I have described,
> this linearity is violated. Why? Well, it works for honest stakers among
> the competition of honest stakers - they really do have the chance of K to
> find the next block. However, the attacker, using nothing at stake, checks
> her ability to build block D (at some timestamp). If she is successful, she
> does not propagate D immediately, but instead she also checks whether she
> can build on top of B and on top of A. Since with every new timestamp,
> usually, there is a new chance to build the block, it is not uncommon that
> she finds she is indeed able to build such block C' on top of B. Here it is
> likely t(C') > t(C) as the attacker has relatively low stake. Note that in
> order to produce such C', she not only could have tried the current
> timestamp t(D), but also all previous timestamps up to t(B) (usually that's
> the consensus rule, but it may depend on a specific consensus). So her
> chance to produce such C' is greater than her previous chance of producing
> C (which chance was limited by other stakers in the system and the
> discovery of block C by one of them). Now suppose that she found such C'
> and now she continues by trying to prolong this chain by finding D'. And
> again here, it is quite likely that her chance to find such D' is greater
> than was her chance of finding D because again there are likely multiple
> timestamps she could try. This all was possible just because nothing at
> stake allows you to just try if you can produce a block in certain state of
> block chain or not. Now if she actually was able to find D', she discards D
> and only publishes chain A-B-C'-D', which can not be punished despite the
> fact that she indeed produced two different forks. She can not be punished
> because this production was local and only the final result of A-B-C'-D'
> was published, in which case she gained an extra block over the honest
> strategy which would only give her block D.
> > > > Fun fact tho: there is an attack called the "selfish mining attack"
> for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > > > How is that relevant to our discussion? This is known research that
> has nothing to do with PoS except that it is often worse on PoS.
> > > >
> > > > > the problem is not as hard as you think
> > > >
> > > > I don't claim to know just how hard finding the IP address
> associated with a bitcoin address is. However, the DOS risk can be solved
> more completely by only allowing the owner of coins themselves to know
> whether they can mint a block. Eg by determining whether someone can mint a
> block based on their public key hidden behind hashes (as normal in
> addresses). Only when someone does in fact mint a block do they reveal
> their hidden public key in order to prove they are allowed to mint the
> block.
> > > > This is true, but you are mixing quorum and non-quorum systems. My
> objection here was towards such system where I specifically said that the
> list of producers for next epoch is known up front and you confirmed that
> this is what you meant with "quorum" system. So in such system, I claimed,
> the known producer is the only target at any given point of time. This of
> course does not apply to any other type of system where future producers
> are not known. No need to dispute, again, something that was not claimed.
> > > >
> > > > > I agree that introduction of punishment itself does not imply
> introducing a problem elsewhere (which I did not claim if you reread my
> previous message)
> > > >
> > > > I'm glad we agree there. Perhaps I misunderstood what you meant by
> "you should not omit to mention that by doing so, typically, you have
> introduced another problem elsewhere."
> > > > Perhaps you should quote the full sentence and not just a part of it:
> > > > "Of course you can always change the rules in a way that a certain
> specific attack is not doable, but you should not omit to mention that by
> doing so, typically, you have introduced another problem elsewhere, or you
> have not solved it completely."
> > > > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT
> COMPLETELY)
> > > > In case of the punishment it was meant to be the not solve it
> completely part.
> > > > Also "typically" does not imply always.
> > > > But this parsing of English sentences for you seems very off topic
> here. My point is, in context of Bitcoin, reject such unsupported claims
> that PoS is a reasonable alternative to PoW, let's stick to that.
> > > >
> > > > > As long as the staker makes sure (which is not that hard) that she
> does not miss a chance to create a block, her significance in the system
> will always increase in time. It will increase relative to all normal users
> who do not stake
> > > >
> > > > Well, if you're in the closed system of the cryptocurrency, sure.
> But we don't live in that closed system. Minters will earn some ROI from
> minting just like any other financial activity. Others may find more
> success spending their time doing things other than figuring out how to
> mint coins. In that case, they'll be able to earn more coin that they could
> later decide to use to mint blocks if they decide to.
> > > > This only supports the point I was making. Since the optimal
> scenario with all existing coins participating is just theoretical, the
> attacker's position will ever so improve. It seems we are in agreement
> here, great.
> > > >
> > > > > Just because of the above we must reject PoS as being critically
> insecure
> > > >
> > > > I think the only thing we can conclude from this is that you have
> come up with an insecure proof of stake protocol. I don't see how anything
> you've brought up amounts to substantial evidence that all possible PoS
> protocols are insecure.
> > > > I have not come up with anything. I'm afraid you've not realized the
> burden of proof is on your side if you vouch for a design that is not
> believed and trusted to be secure. It is up to you to show that you know
> how to solve every problem that people throw at you. So far we have just
> demonstrated that your claim that nothing at stake is solved was
> unjustified. You have not described a system that would solve it (and not
> introduce critical DDOS attack vector as it is in quorum based systems -
> per the prior definition of such systems).
> > > > Of course the list of problems of PoS systems do not end with just
> nothing at stake, but it is good enough example that by itself prevents its
> adoption in decentralized consensus. No need to go to other hard problems
> without solving nothing at stake.
> > > > On Tue, May 25, 2021 at 11:10 AM befreeandopen
> befreeandopen@protonmail.com wrote:
> > > >
> > > > > @befreeandopen " An attacker can calculate whether or not she can
> prolong this chain or not and if so with what timestamp."
> > > > > The scenario you describe would only be likely to happen at all if
> the malicious actor has a very large fraction of the stake - probably quite
> close to 50%. At that point, you're talking about a 51% attack, not the
> nothing at stake problem. The nothing at stake problem is the problem where
> anyone will mint on any chain. Its clear that if there's a substantial
> punishment for minting on chains other than the one that eventually wins,
> every minter without a significant fraction of the stake will be honest and
> not attempt to mint on old blocks or support someone else's attempt to mint
> on old blocks (until and if it becomes the heaviest chain). Because the
> attacker would need probably >45% of the active stake (take a look at the
> reasoning here for a deeper analysis of that statement), I don't agree that
> punishment is not a sufficient mitigation of the nothing at stake problem.
> To exploit the nothing at stake problem, you basically need to 51% attack,
> at which point you've exceeded the operating conditions of the system, so
> of course its gonna have problems, just like a 51% attack would cause with
> PoW.
> > > > > This is not at all the case. The attacker benefits using the
> described technique at any size of the stake and significantly so with just
> 5% of the stake. By significantly, I do not mean that the attacker is able
> to completely take control the network (in short term), but rather that the
> attacker has significant advantage in the number of blocks she creates
> compared to what she "should be able to create". This means the attacker's
> stake increases significantly faster than of the honest nodes, which in
> long term is very serious in PoS system. If you believe close to 50% is
> needed for that, you need to redo your math. So no, you are wrong stating
> that "to exploit nothing at stake problem you basically need to 51%
> attack". It is rather the opposite - eventually, nothing at stake attack
> leads to ability to perform 51% attack.
> > > > >
> > > > > > I am not sure if this is what you call quorum-based PoS
> > > > >
> > > > > Yes, pre-selected minters is exactly what I mean by that.
> > > > >
> > > > > > it allows the attacker to know who to attack at which point with
> powerful DDOS in order to hurt liveness of such system
> > > > >
> > > > > Just like in bitcoin, associating keys with IP addresses isn't
> generally an easy thing to do on the fly like that. If you know someone's
> IP address, you can target them. But if you only know their address or
> public key, the reverse isn't as easy. With a quorum-based PoS system, you
> can see their public key and address, but finding out their IP to DOS would
> be a huge challenge I think.
> > > > > I do not dispute that the problem is not trivial, but the problem
> is not as hard as you think. The network graph analysis is a known
> technique and it is not trivial, but not very hard either. Introducing a
> large number of nodes to the system to achieve very good success rate of
> analysis of area of origin of blocks is doable and has been done in past.
> So again, I very much disagree with your conclusion that this is somehow
> secure. It is absolutely insecure.
> > > > > Note, tho, that quorum-based PoS generally also have punishments
> as part of the protocol. The introduction of punishments do indeed handily
> solve the nothing at stake problem. And you didn't mention a single problem
> that the punishments introduce that weren't already there before
> punishments. There are tradeoffs with introducing punishments (eg in some
> cases you might punish honest actors), but they are minor in comparison to
> solving the nothing at stake problem.
> > > > > While I agree that introduction of punishment itself does not
> imply introducing a problem elsewhere (which I did not claim if you reread
> my previous message), it does introduce additional complexity which may
> introduce problem, but more importantly, while it slightly improves
> resistance against the nothing at stake attack, it solves absolutely
> nothing. Your claim is based on wrong claim of needed close to 50% stake,
> but that could not be farther from the truth. It is not true even in
> optimal conditions when all participants of the network stake or delegate
> their stake. These optimal conditions rarely, if ever, occur. And that's
> another thing that we have not mention in our debate, so please allow me to
> introduce another problem to PoS.
> > > > > Consider what is needed for such optimal conditions to occur - all
> coins are always part of the stake, which means that they need to somehow
> automatically part of the staking process even when they are moved. But in
> many PoS systems you usually require some age (in terms of confirmations)
> of the coin before you allow it to be used for participation in staking
> process and that is for a good reason - to prevent various grinding
> attacks. In some systems the coin must be specifically registered before it
> can be staked, in others, simply waiting for enough confirmations enables
> you to stake with the coin. I am not sure if there is a system which does
> not have this cooling period for a coin that has been moved. Maybe it is
> possible though, but AFAIK it is not common and not battle tested feature.
> > > > > Then if we admit that achieving the optimal condition is rather
> theoretical. Then if we do not have the optimal condition, it means that a
> staker with K% of the total available supply increases it's percentage over
> time to some amounts >K%. As long as the staker makes sure (which is not
> that hard) that she does not miss a chance to create a block, her
> significance in the system will always increase in time. It will increase
> relative to all normal users who do not stake (if there are any) and
> relative to all other stakers who make mistakes or who are not wealthy
> enough to afford not selling any position ever. But powerful attacker is
> exactly in such position and thus she will gain significance in such a
> system. The technique I have described, and that you mistakenly think is
> viable only with huge amounts of stake, only puts the attacker to even
> greater advantage. But even without the described attack (which exploits
> nothing at stake), the PoS system converges to a system more and more
> controlled by powerful entity, which we can assume is the attacker.
> > > > > So I don't think it is at all misleading to claim that "nothing at
> stake" is a solved problem. I do in fact mean that the solutions to that
> problem don't introduce any other problems with anywhere near the same
> level of significance.
> > > > > It still stands as truly misleading claim. I disagree that
> introducing DDOS opportunity with medium level of difficulty for the
> attacker to implement it, in case of "quorum-based PoS" is not a problem
> anywhere near the same level of significance. Such an attack vector allows
> you to turn off the network if you spend some time and money. That is
> hardly acceptable.
> > > > > Just because of the above we must reject PoS as being critically
> insecure until someone invents and demonstrates an actual way of solving
> these issues.
> > > > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > > > >
> > > > > > > > you burn them to be used at a future particular block height
> > > > > >
> > > > > > > This sounds exploitable. It seems like an attacker could
> simply focus all their burns on a particular set of 6 blocks to double
> spend, minimizing their cost of attack.
> > > > > >
> > > > > > could be right. the original idea was to have burns decay over
> time,
> > > > > > like ASIC's.
> > > > > > anyway the point was not that "i had a magic formula"
> > > > > > the point was that proof of burn is almost always better than
> proof of
> > > > > > stake - simply because the "proof" is on-chain, not sitting on a
> node
> > > > > > somewhere waiting to be stolen.
> > > > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud
> billy.tetrud@gmail.com wrote:
> > > > > >
> > > > > > > Is this the kind of proof of burn you're talking about?
> > > > > > >
> > > > > > > > if i have a choice between two chains, one longer and one
> shorter, i can only choose one... deterministically
> > > > > > >
> > > > > > > What prevents you from attempting to mine block 553 on both
> chains?
> > > > > > >
> > > > > > > > miners have a very strong, long-term, investment in the
> stability of the chain.
> > > > > > >
> > > > > > > Yes, but the same can be said of any coin, even ones that do
> have the nothing at stake problem. This isn't sufficient tho because the
> chain is a common good, and the tragedy of the commons holds for it.
> > > > > > >
> > > > > > > > you burn them to be used at a future particular block height
> > > > > > >
> > > > > > > This sounds exploitable. It seems like an attacker could
> simply focus all their burns on a particular set of 6 blocks to double
> spend, minimizing their cost of attack.
> > > > > > >
> > > > > > > > i can imagine scenarios where large stakeholders can collude
> to punish smaller stakeholders simply to drive them out of business, for
> example
> > > > > > >
> > > > > > > Are you talking about a 51% attack? This is possible in any
> decentralized cryptocurrency.
> > > > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com
> wrote:
> > > > > > >
> > > > > > > > > > your burn investment is always "at stake", any redaction
> can result in a loss-of-burn, because burns can be tied, precisely, to
> block-heights
> > > > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > > > >
> > > > > > > > when you burn coins, you burn them to be used at a future
> particular
> > > > > > > > block height: so if i'm burning for block 553, i can only
> use them to
> > > > > > > > mine block 553. if i have a choice between two chains, one
> longer
> > > > > > > > and one shorter, i can only choose one... deterministically,
> for that
> > > > > > > > burn: the chain with the height 553. if we fix the "lead
> time" for
> > > > > > > > burned coins to be weeks or even months in advance, miners
> have a very
> > > > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > > > deterministic, so miners have no choice. they can only
> choose the
> > > > > > > > transactions that go into the block. they cannot choose
> which chain
> > > > > > > > to mine, and it's time-locked, so rollbacks and instability
> always
> > > > > > > > hurt miners the most.
> > > > > > > > the "punishment" systems of PoS are "weird at best",
> certainly
> > > > > > > > unproven. i can imagine scenarios where large stakeholders
> can
> > > > > > > > collude to punish smaller stakeholders simply to drive them
> out of
> > > > > > > > business, for example. and then you have to put checks in
> place to
> > > > > > > > prevent that, and more checks for those prevention system...
> > > > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > > > typically more secure.
> > > > > > > > PoB also solves problems caused by "energy dependence",
> which could
> > > > > > > > lead to state monopolies on mining (like the new Bitcoin
> Mining
> > > > > > > > Council). these consortiums, if state sanctioned, could
> become a
> > > > > > > > source of censorship, for example. Since PoB doesn't require
> you to
> > > > > > > > have a live, well-connected node, it's harder to censor &
> harder to
> > > > > > > > trace.
> > > > > > > > Eliminating this weakness seems to be in the best interests
> of
> > > > > > > > existing stakeholders
> > > > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud
> billy.tetrud@gmail.com wrote:
> > > > > > > >
> > > > > > > > > > proof of burn clearly solves this, since nothing is held
> online
> > > > > > > > >
> > > > > > > > > Well.. the coins to be burned need to be online when
> they're burned. But yes, only a small fraction of the total coins need to
> be online.
> > > > > > > > >
> > > > > > > > > > your burn investment is always "at stake", any redaction
> can result in a loss-of-burn, because burns can be tied, precisely, to
> block-heights
> > > > > > > > >
> > > > > > > > > So you're saying that if say someone tries to mine a block
> on a shorter chain, that requires them to send a transaction burning their
> coins, and that transaction could also be spent on the longest chain, which
> means their coins are burned even if the chain they tried to mine on
> doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > > > >
> > > > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > > > >
> > > > > > > > > FYI, proof of stake can be done without the "nothing at
> stake" problem. You can simply punish people who mint on shorter chains (by
> rewarding people who publish proofs of this happening on the main chain).
> In quorum-based PoS, you can punish people in the quorum that propose or
> sign multiple blocks for the same height. The "nothing at stake" problem is
> a solved problem at this point for PoS.
> > > > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com
> wrote:
> > > > > > > > >
> > > > > > > > > > > I don't see a way to get around the conflicting
> requirement that the keys for large amounts of coins should be kept offline
> but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > >
> > > > > > > > > > proof of burn clearly solves this, since nothing is held
> online
> > > > > > > > > >
> > > > > > > > > > > how does proof of burn solve the "nothing at stake"
> problem in your view?
> > > > > > > > > >
> > > > > > > > > > definition of nothing at stake: in the event of a fork,
> whether the
> > > > > > > > > > fork is accidental or a malicious, the optimal strategy
> for any miner
> > > > > > > > > > is to mine on every chain, so that the miner gets their
> reward no
> > > > > > > > > > matter which fork wins. indeed in proof-of-stake, the
> proofs are
> > > > > > > > > > published on the very chains mines, so the incentive is
> magnified.
> > > > > > > > > > in proof-of-burn, your burn investment is always "at
> stake", any
> > > > > > > > > > redaction can result in a loss-of-burn, because burns
> can be tied,
> > > > > > > > > > precisely, to block-heights
> > > > > > > > > > as a result, miners no longer have an incentive to mine
> all chains
> > > > > > > > > > in this way proof of burn can be more secure than
> proof-of-stake, and
> > > > > > > > > > even more secure than proof of work
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via
> bitcoin-dev
> > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi Billy,
> > > > > > > > > > > I was going to write a post which started by
> dismissing many of the weak arguments that are made against PoS made in
> this thread and elsewhere.
> > > > > > > > > > > Although I don't agree with all your points you have
> done a decent job here so I'll focus on the second part: why I think
> Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > > > Proof of stake is not fit for purpose for a global
> settlement layer in a pure digital asset (i.e. "digital gold") which is
> what Bitcoin is trying to be.
> > > > > > > > > > > PoS necessarily gives responsibilities to the holders
> of coins that they do not want and cannot handle.
> > > > > > > > > > > In Bitcoin, large unsophisticated coin holders can put
> their coins in cold storage without a second thought given to the health of
> the underlying ledger.
> > > > > > > > > > > As much as hardcore Bitcoiners try to convince them to
> run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > > > At no point do their personal decisions affect the
> underlying consensus -- it only affects their personal security assurance
> (not that of the system itself).
> > > > > > > > > > > In PoS systems this clean separation of
> responsibilities does not exist.
> > > > > > > > > > > I think that the more rigorously studied PoS protocols
> will work fine within the security claims made in their papers.
> > > > > > > > > > > People who believe that these protocols are destined
> for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > > > But the devil is in the detail.
> > > > > > > > > > > Let's look at what the implications of using the
> leading proof of stake protocols would have on Bitcoin:
> > > > > > > > > > >
> > > > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > > > >
> > > > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros
> Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > > > In these protocols, coin holders who do not want to
> run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > > > I call the resulting system Proof-of-SquareSpace since
> most will choose a pool by looking around for one with a nice website and
> offering the largest share of the block reward.
> > > > > > > > > > > On the surface this might sound no different than
> someone with an mining rig shopping around for a good mining pool but there
> are crucial differences:
> > > > > > > > > > >
> > > > > > > > > > > 1. The person making the decision is forced into it
> just because they own the currency -- someone with a mining rig has
> purchased it with the intent to make profit by participating in consensus.
> > > > > > > > > > >
> > > > > > > > > > > 2. When you join a mining pool your systems are very
> much still online. You are just partaking in a pool to reduce your profit
> variance. You still see every block that you help create and you never help
> create a block without seeing it first.
> > > > > > > > > > >
> > > > > > > > > > > 3. If by SquareSpace sybil attack you gain a
> dishonest majority and start censoring transactions how are the users meant
> to redelegate their stake to honest pools?
> > > > > > > > > > > I guess they can just send a transaction
> delegating to another pool...oh wait I guess that might be censored too!
> This seems really really bad.
> > > > > > > > > > > In Bitcoin, miners can just join a different pool
> at a whim. There is nothing the attacker can do to stop them. A temporary
> dishonest majority heals relatively well.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > There is another severe disadvantage to this on-chain
> delegation system: every UTXO must indicate which staking account this UTXO
> belongs to so the appropriate share of block rewards can be transferred
> there.
> > > > > > > > > > > Being able to associate every UTXO to an account ruins
> one of the main privacy advantages of the UTXO model.
> > > > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > > > >
> > > > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > > > >
> > > > > > > > > > > Algorand's4 approach is to only allow online stake to
> participate in the protocol.
> > > > > > > > > > > Theoretically, This means that keys holding funds have
> to be online in order for them to author blocks when they are chosen.
> > > > > > > > > > > Of course in reality no one wants to keep their coin
> holding keys online so in Alogorand you can authorize a set of
> "participation keys"1 that will be used to create blocks on your coin
> holding key's behalf.
> > > > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > > > You can send your participation keys to any malicious
> party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > > > The minor advantage is that at least the participation
> keys expire after a certain amount of time so eventually the SquareSpace
> attacker will lose their hold on consensus.
> > > > > > > > > > > Importantly there is also less junk on the blockchain
> because the participation keys are delegated off-chain and so are not
> making as much of a mess.
> > > > > > > > > > >
> > > > > > > > > > > ### Conclusion
> > > > > > > > > > >
> > > > > > > > > > > I don't see a way to get around the conflicting
> requirement that the keys for large amounts of coins should be kept offline
> but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > If we allow delegation then we open up a new social
> attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > > > For a "digital gold" like system like Bitcoin we
> optimize for simplicity and desperately want to avoid extraneous
> responsibilities for the holder of the coin.
> > > > > > > > > > > After all, gold is an inert element on the periodic
> table that doesn't confer responsibilities on the holder to maintain the
> quality of all the other bars of gold out there.
> > > > > > > > > > > Bitcoin feels like this too and in many ways is more
> inert and beautifully boring than gold.
> > > > > > > > > > > For Bitcoin to succeed I think we need to keep it that
> way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > > > I suppose in the end the market will decide what is
> real digital gold and whether these bad technical trade offs are worth
> being able to say it uses less electricity. It goes without saying that
> making bad technical decisions to appease the current political climate is
> an anathema to Bitcoin.
> > > > > > > > > > > Would be interested to know if you or others think
> differently on these points.
> > > > > > > > > > > Cheers,
> > > > > > > > > > > LL
> > > > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via
> bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > >
> > > > > > > > > > > > I think there is a lot of misinformation and bias
> against Proof of Stake. Yes there have been lots of shady coins that use
> insecure PoS mechanisms. Yes there have been massive issues with
> distribution of PoS coins (of course there have also been massive issues
> with PoW coins as well). However, I want to remind everyone that there is a
> difference between "proved to be impossible" and "have not achieved
> recognized success yet". Most of the arguments levied against PoS are out
> of date or rely on unproven assumptions or extrapolation from the analysis
> of a particular PoS system. I certainly don't think we should experiment
> with bitcoin by switching to PoS, but from my research, it seems very
> likely that there is a proof of stake consensus protocol we could build
> that has substantially higher security (cost / capital required to execute
> an attack) while at the same time costing far less resources (which do
> translate to fees on the network) without compromising any of the critical
> security properties bitcoin relies on. I think the critical piece of this
> is the disagreements around hardcoded checkpoints, which is a critical
> piece solving attacks that could be levied on a PoS chain, and how that
> does (or doesn't) affect the security model.
> > > > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying
> that PoS is worse when a 51% attack happens. While I agree, I think that
> line of thinking omits important facts:
> > > > > > > > > > > >
> > > > > > > > > > > > - The capital required to 51% attack a PoS chain
> can be made substantially greater than on a PoS chain.
> > > > > > > > > > > > - The capital the attacker stands to lose can be
> substantially greater as well if the attack is successful.
> > > > > > > > > > > > - The effectiveness of paying miners to raise the
> honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > > > - Allowing a 51% attack is already unacceptable.
> It should be considered whether what happens in the case of a 51% may not
> be significantly different. The currency would likely be critically damaged
> in a 51% attack regardless of consensus mechanism.
> > > > > > > > > > > >
> > > > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > > > >
> > > > > > > > > > > > People repeat this often, but the facts support
> this. There is no centralization pressure in any proof of stake mechanism
> that I'm aware of. IE if you have 10 times as much coin that you use to
> mint blocks, you should expect to earn 10x as much minting revenue - not
> more than 10x. By contrast, proof of work does in fact have clear
> centralization pressure - this is not disputed. Our goal in relation to
> that is to ensure that the centralization pressure remains insignifiant.
> Proof of work also clearly has a lot more barriers to entry than any proof
> of stake system does. Both of these mean the tendency towards oligopolistic
> control is worse for PoW.
> > > > > > > > > > > >
> > > > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be
> ashamed of!!
> > > > > > > > > > > >
> > > > > > > > > > > > I certainly agree. Bitcoin's energy usage at the
> moment is I think quite warranted. However, the question is: can we do
> substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > > > >
> > > > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the
> network demonstrating a Byzantine Fault, whilst Proof of Work is resilient
> up to the ½ threshold
> > > > > > > > > > > >
> > > > > > > > > > > > I see no mention of this in the pos.pdf you linked
> to. I'm not aware of any proof that all PoS systems have a failure
> threshold of 1/3. I know that staking systems like Casper do in fact have
> that 1/3 requirement. However there are PoS designs that should exceed that
> up to nearly 50% as far as I'm aware. Proof of work is not in fact
> resilient up to the 1/2 threshold in the way you would think. IE, if 100%
> of miners are currently honest and have a collective 100 exahashes/s
> hashpower, an attacker does not need to obtain 100 exahashes/s, but
> actually only needs to accumulate 50 exahashes/s. This is because as the
> attacker accumulates hashpower, it drives honest miners out of the market
> as the difficulty increases to beyond what is economically sustainable.
> Also, its been shown that the best proof of work can do is require an
> attacker to obtain 33% of the hashpower because of the selfish mining
> attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243.
> Together, both of these things reduce PoW's security by a factor of about
> 83% (1 - 50%*33%).
> > > > > > > > > > > >
> > > > > > > > > > > > > Proof of Stake requires other trade-offs which are
> incompatible with Bitcoin's objective (to be a trustless digital cash) —
> specifically the famous "security vs. liveness" guarantee
> > > > > > > > > > > >
> > > > > > > > > > > > Do you have a good source that talks about why you
> think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > > > >
> > > > > > > > > > > > > You cannot gain tokens without someone choosing to
> give up those coins - a form of permission.
> > > > > > > > > > > >
> > > > > > > > > > > > This is not a practical constraint. Just like in
> mining, some nodes may reject you, but there will likely be more that will
> accept you, some sellers may reject you, but most would accept your money
> as payment for bitcoins. I don't think requiring the "permission" of one of
> millions of people in the market can be reasonably considered a
> "permissioned currency".
> > > > > > > > > > > >
> > > > > > > > > > > > > 2. Proof of stake must have a trusted means of
> timestamping to regulate overproduction of blocks
> > > > > > > > > > > >
> > > > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as
> fast if everyone agreed to double their clock speeds. Both systems rely on
> an honest majority sticking to standard time.
> > > > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky
> via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a
> different thread! :)
> > > > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky
> mike@powx.org wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW,
> oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess
> there are other threads going on these topics already where they would be
> relevant.
> > > > > > > > > > > > > > Also, it's important to distinguish between oPoW
> and these other "alternatives" to Hashcash. oPoW is a true Proof of Work
> that doesn't alter the core game theory or security assumptions of Hashcash
> and actually contains SHA (can be SHA3, SHA256, etc hash is
> interchangeable).
> > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > Mike
> > > > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty
> via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 2. my suggestion was specifically in the
> context of a working
> > > > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - vdfs used only for timing (not block
> height)
> > > > > > > > > > > > > > > - blind-burned coins of a specific age used
> to replace proof of work
> > > > > > > > > > > > > > > - the required "work" per block would simply
> be a competition to
> > > > > > > > > > > > > > > acquire rewards, and so miners would have
> to burn coins, well in
> > > > > > > > > > > > > > > advance, and hope that their burned coins
> got rewarded in some far
> > > > > > > > > > > > > > > future
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - the point of burned coins is to mimic, in
> every meaningful way, the
> > > > > > > > > > > > > > > value gained from proof of work... without
> some of the security
> > > > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - the miner risks losing all of his burned
> coins (like all miners risk
> > > > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > > > - other requirements on burns might be
> needed to properly mirror the
> > > > > > > > > > > > > > > properties of PoW and the incentives
> Bitcoin uses to mine honestly.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 3. i do believe it is possible that a "burned
> coin + vdf system"
> > > > > > > > > > > > > > > might be more secure in the long run, and
> that if the entire space
> > > > > > > > > > > > > > > agreed that such an endeavor was
> worthwhile, a test net could be spun
> > > > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 4. i would never suggest such a thing unless
> i believed it was
> > > > > > > > > > > > > > > possible that consensus was possible. so
> no, this is not an "alt
> > > > > > > > > > > > > > > coin"
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood
> zachgrw@gmail.com wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > > > Please note that I am not suggesting VDFs as
> a means to save energy, but solely as a means to make the time between
> blocks more constant.
> > > > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj
> ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > VDFs might enable more constant block
> times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes
> to resolve (VDF being subject to difficulty adjustments similar to the
> as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower
> difficulty so finding a block takes 1 minute on average, again subject to
> as-is difficulty adjustments.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > As a result, variation in block times
> will be greatly reduced.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > As I understand it, another weakness of
> VDFs is that they are not inherently progress-free (their sequential nature
> prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > > > Thus, a miner which focuses on improving
> the amount of energy that it can pump into the VDF circuitry (by
> overclocking and freezing the circuitry), could potentially get into a
> winner-takes-all situation, possibly leading to even worse competition and
> even more energy consumption.
> > > > > > > > > > > > > > > > > After all, if you can start mining 0.1s
> faster than the competition, that is a 0.1s advantage where only you can
> mine in the entire world.
> > > > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > >
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > >
> > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > >
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > >
> > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > >
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > >
> > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > >
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> >
>
[-- Attachment #2: Type: text/html, Size: 60224 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-28 20:06 ` Erik Aronesty
2021-05-28 21:40 ` Billy Tetrud
@ 2021-06-01 8:21 ` befreeandopen
2021-06-01 16:33 ` Erik Aronesty
1 sibling, 1 reply; 67+ messages in thread
From: befreeandopen @ 2021-06-01 8:21 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
Erik, thanks for the link. So referring to https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how this is supposed to be that much better over many proof of stake proposals. If there is more research on PoB, please note I'm not commenting on that as I only read this wiki article and my comments are purely related to this only.
I hope we can agree that the idea with manual insertion of entropy every week can be discarded, but at the same time I don't think it is a crucial point of the whole idea. So we can just focus on the rest of it.
Then the whole idea seems just like certain proof of stake implementations with just small differences, which I try to summarize:
- in PoB, in order to use the coin for block production, you burn it in the past and wait some time -- in the certain PoS I'm talking about, in order to use the coin, you do not move the coin for some time - so in both there is the same idea - you somehow make the coin eligible for the block creation process by first doing some action followed by some inaction for some time; the difference here is that if later you use such coin in PoS, then after waiting more time, you can use the coin again (for whatever purpose), while in PoB the coin is gone forever (it is burned); this does not seem to be fundamentally different
- in PoB, the author suggests there is an exponential decay of the power of the coin to create a block; in some PoS schemas, there historically was an era of so called CoinAge mechanism, which was somewhat inverse to this exponential decay, it was that the coin gets more power the older it is untouched, some implementations were for linear increase in the power, some exponential. Usually there was a certain limit - i.e. a maximum power the coin may have reached. It turned out quite quickly that such property is making attacks easier. PoB reverses the idea, but I don't think that helps that much. In any case, there seems to be an optimal period of time for each used coin, in both PoS and PoB, where the coin is most suitable for block production. I admit PoB version is better, but the crucial property here is that some coins are more powerful than other.
- in both PoB and PoS it seems there is linear increase of the ability of the coin to produce blocks with the size of the coin (more BTC you burn/stake, the better your chance)
This characteristic of PoB does not suggest that it would have that much different properties than PoS. So it should suffer from same problems as PoS. Namely, the problems I see now, with the given proposal from wiki, are:
- there seems to be lack of definition of the heaviest chain and difficulty adjustment - this seems crucial, but likely solvable, I'm just saying it is importantly missing in the description
- there seems to be a problem with nothing at stake (nothing at burn maybe?) - How that can be? Again, it seems that every burned coin can be used for free checks at any time after the initial waiting period. These free checks are indeed free and are the core of the nothing at stake problem in PoS. You seem to make those checks for free and you seem to be able to use those burned coins to create arbitrary number of forks build on any parent blocks of your choice, not just the last block of the heaviest chain. I can't see at the moment how is this different from PoS nothing at stake problem. Maybe you can explain?
- it seems to me that there is a trivial attack against the scheme by a wealthy attacker. Suppose a common size of the burn is 1 BTC per block, suppose you define the heaviest chain rule somehow in relation to total number of burned coins or the cumulative "strength" of the "lowest" hashes, then you can just burn 20 UTXOs, each being 10 BTC in value, so you spent 200 BTC on this attack, but you are in very strong position because after you wait the needed time, you should be able to do pretty nasty reorg. Suppose that the main chain is A-B-C-D-E-F, so what you do at that point is that you just "try for free" all your 20 UTXOs, whether or not they can build on top of block A (which has 5 confs on top, F is the tip of the main chain). Since you have big UTXOs, your chances should be good, of course you can always try many times because you have a "lottery ticket" for every timestampt t. So with this you should be able, with good chance, to find such B' and then you have 19 UTXOs remaining to try to build on B' in the same way. I can't see what prevents this attack in the described scheme.
- the ability to retroactively try all different kids of timestamp t seems devastating - you again get super easy and somewhat cheap attack (due to nothing at burn problem) that allows you to rewrite even long chains at will.
Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, May 28, 2021 9:06 PM, Erik Aronesty <erik@q32.com> wrote:
> best writeup i know of is here:
>
> https://en.bitcoin.it/wiki/Proof_of_burn
>
> no formal proposals or proofs that i know of.
>
> On Fri, May 28, 2021 at 10:40 AM befreeandopen
> befreeandopen@protonmail.com wrote:
>
> > Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it interesting up until now. Some of your recent claims seem quite strong to me and I'd like to read more.
> > Forgive me if this has been mentioned recently, but is there a full specification of the concept you are referring to? I don't mean just the basic idea description (that much is clear to me), I mean a fully detailed proposal or technical documentation that would give me a precise information about what exactly it is that you are talking about.
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty erik@q32.com wrote:
> >
> > > note: the "nothing at stake" problem you propose is not broken for
> > > proof-of-burn, because the attacker
> > > a) has no idea which past transactions are burns
> > > b) has no way to use his mining power, even 5%, to maliciously improve
> > > his odds of being selected
> > > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > > befreeandopen@protonmail.com wrote:
> > >
> > > > @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
> > > >
> > > > 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> > > > 2. They receive a new block minted by someone else.
> > > > 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> > > > 4. Profit!
> > > >
> > > > The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
> > > > Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
> > > > I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
> > > > What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> > > > Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > > > How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
> > > >
> > > > > the problem is not as hard as you think
> > > >
> > > > I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
> > > > This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
> > > >
> > > > > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
> > > >
> > > > I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
> > > > Perhaps you should quote the full sentence and not just a part of it:
> > > > "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
> > > > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> > > > In case of the punishment it was meant to be the not solve it completely part.
> > > > Also "typically" does not imply always.
> > > > But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
> > > >
> > > > > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
> > > >
> > > > Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
> > > > This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
> > > >
> > > > > Just because of the above we must reject PoS as being critically insecure
> > > >
> > > > I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
> > > > I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
> > > > Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> > > > On Tue, May 25, 2021 at 11:10 AM befreeandopen befreeandopen@protonmail.com wrote:
> > > >
> > > > > @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
> > > > > The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
> > > > > This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
> > > > >
> > > > > > I am not sure if this is what you call quorum-based PoS
> > > > >
> > > > > Yes, pre-selected minters is exactly what I mean by that.
> > > > >
> > > > > > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
> > > > >
> > > > > Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
> > > > > I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> > > > > Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
> > > > > While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
> > > > > Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
> > > > > Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> > > > > So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
> > > > > It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
> > > > > Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> > > > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > > > >
> > > > > > > > you burn them to be used at a future particular block height
> > > > > >
> > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > >
> > > > > > could be right. the original idea was to have burns decay over time,
> > > > > > like ASIC's.
> > > > > > anyway the point was not that "i had a magic formula"
> > > > > > the point was that proof of burn is almost always better than proof of
> > > > > > stake - simply because the "proof" is on-chain, not sitting on a node
> > > > > > somewhere waiting to be stolen.
> > > > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > >
> > > > > > > Is this the kind of proof of burn you're talking about?
> > > > > > >
> > > > > > > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
> > > > > > >
> > > > > > > What prevents you from attempting to mine block 553 on both chains?
> > > > > > >
> > > > > > > > miners have a very strong, long-term, investment in the stability of the chain.
> > > > > > >
> > > > > > > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
> > > > > > >
> > > > > > > > you burn them to be used at a future particular block height
> > > > > > >
> > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > >
> > > > > > > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
> > > > > > >
> > > > > > > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
> > > > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com wrote:
> > > > > > >
> > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > > > >
> > > > > > > > when you burn coins, you burn them to be used at a future particular
> > > > > > > > block height: so if i'm burning for block 553, i can only use them to
> > > > > > > > mine block 553. if i have a choice between two chains, one longer
> > > > > > > > and one shorter, i can only choose one... deterministically, for that
> > > > > > > > burn: the chain with the height 553. if we fix the "lead time" for
> > > > > > > > burned coins to be weeks or even months in advance, miners have a very
> > > > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > > > deterministic, so miners have no choice. they can only choose the
> > > > > > > > transactions that go into the block. they cannot choose which chain
> > > > > > > > to mine, and it's time-locked, so rollbacks and instability always
> > > > > > > > hurt miners the most.
> > > > > > > > the "punishment" systems of PoS are "weird at best", certainly
> > > > > > > > unproven. i can imagine scenarios where large stakeholders can
> > > > > > > > collude to punish smaller stakeholders simply to drive them out of
> > > > > > > > business, for example. and then you have to put checks in place to
> > > > > > > > prevent that, and more checks for those prevention system...
> > > > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > > > typically more secure.
> > > > > > > > PoB also solves problems caused by "energy dependence", which could
> > > > > > > > lead to state monopolies on mining (like the new Bitcoin Mining
> > > > > > > > Council). these consortiums, if state sanctioned, could become a
> > > > > > > > source of censorship, for example. Since PoB doesn't require you to
> > > > > > > > have a live, well-connected node, it's harder to censor & harder to
> > > > > > > > trace.
> > > > > > > > Eliminating this weakness seems to be in the best interests of
> > > > > > > > existing stakeholders
> > > > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > > >
> > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > >
> > > > > > > > > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
> > > > > > > > >
> > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > >
> > > > > > > > > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > > > >
> > > > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > > > >
> > > > > > > > > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
> > > > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > > >
> > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > >
> > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > >
> > > > > > > > > > > how does proof of burn solve the "nothing at stake" problem in your view?
> > > > > > > > > >
> > > > > > > > > > definition of nothing at stake: in the event of a fork, whether the
> > > > > > > > > > fork is accidental or a malicious, the optimal strategy for any miner
> > > > > > > > > > is to mine on every chain, so that the miner gets their reward no
> > > > > > > > > > matter which fork wins. indeed in proof-of-stake, the proofs are
> > > > > > > > > > published on the very chains mines, so the incentive is magnified.
> > > > > > > > > > in proof-of-burn, your burn investment is always "at stake", any
> > > > > > > > > > redaction can result in a loss-of-burn, because burns can be tied,
> > > > > > > > > > precisely, to block-heights
> > > > > > > > > > as a result, miners no longer have an incentive to mine all chains
> > > > > > > > > > in this way proof of burn can be more secure than proof-of-stake, and
> > > > > > > > > > even more secure than proof of work
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi Billy,
> > > > > > > > > > > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> > > > > > > > > > > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > > > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> > > > > > > > > > > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> > > > > > > > > > > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> > > > > > > > > > > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > > > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> > > > > > > > > > > In PoS systems this clean separation of responsibilities does not exist.
> > > > > > > > > > > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> > > > > > > > > > > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > > > But the devil is in the detail.
> > > > > > > > > > > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
> > > > > > > > > > >
> > > > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > > > >
> > > > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > > > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > > > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> > > > > > > > > > > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
> > > > > > > > > > >
> > > > > > > > > > > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
> > > > > > > > > > >
> > > > > > > > > > > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and you never help create a block without seeing it first.
> > > > > > > > > > >
> > > > > > > > > > > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> > > > > > > > > > > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> > > > > > > > > > > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> > > > > > > > > > > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> > > > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > > > >
> > > > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > > > >
> > > > > > > > > > > Algorand's4 approach is to only allow online stake to participate in the protocol.
> > > > > > > > > > > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> > > > > > > > > > > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"1 that will be used to create blocks on your coin holding key's behalf.
> > > > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > > > You can send your participation keys to any malicious party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > > > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> > > > > > > > > > > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
> > > > > > > > > > >
> > > > > > > > > > > ### Conclusion
> > > > > > > > > > >
> > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > > > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> > > > > > > > > > > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> > > > > > > > > > > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> > > > > > > > > > > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > > > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
> > > > > > > > > > > Would be interested to know if you or others think differently on these points.
> > > > > > > > > > > Cheers,
> > > > > > > > > > > LL
> > > > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > >
> > > > > > > > > > > > I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) without compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
> > > > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> > > > > > > > > > > >
> > > > > > > > > > > > - The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> > > > > > > > > > > > - The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> > > > > > > > > > > > - The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > > > - Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
> > > > > > > > > > > >
> > > > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > > > >
> > > > > > > > > > > > People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
> > > > > > > > > > > >
> > > > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> > > > > > > > > > > >
> > > > > > > > > > > > I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > > > >
> > > > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> > > > > > > > > > > >
> > > > > > > > > > > > I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> > > > > > > > > > > >
> > > > > > > > > > > > > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
> > > > > > > > > > > >
> > > > > > > > > > > > Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > > > >
> > > > > > > > > > > > > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
> > > > > > > > > > > >
> > > > > > > > > > > > This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
> > > > > > > > > > > >
> > > > > > > > > > > > > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
> > > > > > > > > > > >
> > > > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
> > > > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a different thread! :)
> > > > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky mike@powx.org wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
> > > > > > > > > > > > > > Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > Mike
> > > > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 2. my suggestion was specifically in the context of a working
> > > > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - vdfs used only for timing (not block height)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - blind-burned coins of a specific age used to replace proof of work
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - the required "work" per block would simply be a competition to
> > > > > > > > > > > > > > > acquire rewards, and so miners would have to burn coins, well in
> > > > > > > > > > > > > > > advance, and hope that their burned coins got rewarded in some far
> > > > > > > > > > > > > > > future
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - the point of burned coins is to mimic, in every meaningful way, the
> > > > > > > > > > > > > > > value gained from proof of work... without some of the security
> > > > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - the miner risks losing all of his burned coins (like all miners risk
> > > > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - other requirements on burns might be needed to properly mirror the
> > > > > > > > > > > > > > > properties of PoW and the incentives Bitcoin uses to mine honestly.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 3. i do believe it is possible that a "burned coin + vdf system"
> > > > > > > > > > > > > > > might be more secure in the long run, and that if the entire space
> > > > > > > > > > > > > > > agreed that such an endeavor was worthwhile, a test net could be spun
> > > > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 4. i would never suggest such a thing unless i believed it was
> > > > > > > > > > > > > > > possible that consensus was possible. so no, this is not an "alt
> > > > > > > > > > > > > > > coin"
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood zachgrw@gmail.com wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > > > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
> > > > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > VDFs might enable more constant block times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > As a result, variation in block times will be greatly reduced.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > > > Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even worse competition and even more energy consumption.
> > > > > > > > > > > > > > > > > After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where only you can mine in the entire world.
> > > > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > >
> > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > >
> > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-01 8:21 ` befreeandopen
@ 2021-06-01 16:33 ` Erik Aronesty
2021-06-01 19:26 ` befreeandopen
0 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-06-01 16:33 UTC (permalink / raw)
To: befreeandopen; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
> Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
Given your example, if !BTC is needed to burn, that's a $50k
investment in an ASIC needed to mine a block. That's not anywhere
near current levels. It's not even approaching the current PoW. A
$50k investment to be a large amount of hash power is ... well,
somewhere more than 10 years ago.
Then you compute a ratio of 200x, where someone is spending 200x the
cost needed to mine a block. Let's use real numbers. Look,
instead, at the global investment in ASIC's required to mine a block.
Now assume that in PoB, miners would spend the same amount they are
today, burning coins rather than buying ASICs.
In real life, PoB is always an "equivalent defense" to PoW, because no
matter what scenario you throw at me, one can continue to tweak the
numbers until PoB *is* equivalent.
For example, If an attacker decided to amass proof-of-burn enough to
perform a reorg, they would have to essentially spend as much money as
a 51% attack today. And they would have to do so well in advance.
We could also require a time-locked "reveal" phase where burns are
revealed to be burns well after they are incorporated - ie: it will be
public knowledge that someone is amassing a large amount of
hashpower-equivlent. That is one of the current advantages of PoW.
My original proof-of-burn concept was designed to mimic ASICs as much
as possible:
1. large initial investment (burn to acquire power)
2. continued investment (burn to activate power in each block, lost if
block is not found)
Ideally, the attacker would have to keep burning for each lottery
ticket, which can only be used once. Committing that burn to a
particular block for example.
Any attack you propose for a "assumed well designed PoB" can also attack PoW.
Any attack you propose for a "assumed well designed PoB" can also attack PoS.
But there are some things PoB can do that PoS can't... which is really
my original point.
- sunk costs/lost investment
- "hashpower" is "offline", and cannot be seized.
On Tue, Jun 1, 2021 at 4:21 AM befreeandopen
<befreeandopen@protonmail.com> wrote:
>
> Erik, thanks for the link. So referring to https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how this is supposed to be that much better over many proof of stake proposals. If there is more research on PoB, please note I'm not commenting on that as I only read this wiki article and my comments are purely related to this only.
>
> I hope we can agree that the idea with manual insertion of entropy every week can be discarded, but at the same time I don't think it is a crucial point of the whole idea. So we can just focus on the rest of it.
>
> Then the whole idea seems just like certain proof of stake implementations with just small differences, which I try to summarize:
>
> - in PoB, in order to use the coin for block production, you burn it in the past and wait some time -- in the certain PoS I'm talking about, in order to use the coin, you do not move the coin for some time - so in both there is the same idea - you somehow make the coin eligible for the block creation process by first doing some action followed by some inaction for some time; the difference here is that if later you use such coin in PoS, then after waiting more time, you can use the coin again (for whatever purpose), while in PoB the coin is gone forever (it is burned); this does not seem to be fundamentally different
>
> - in PoB, the author suggests there is an exponential decay of the power of the coin to create a block; in some PoS schemas, there historically was an era of so called CoinAge mechanism, which was somewhat inverse to this exponential decay, it was that the coin gets more power the older it is untouched, some implementations were for linear increase in the power, some exponential. Usually there was a certain limit - i.e. a maximum power the coin may have reached. It turned out quite quickly that such property is making attacks easier. PoB reverses the idea, but I don't think that helps that much. In any case, there seems to be an optimal period of time for each used coin, in both PoS and PoB, where the coin is most suitable for block production. I admit PoB version is better, but the crucial property here is that some coins are more powerful than other.
>
> - in both PoB and PoS it seems there is linear increase of the ability of the coin to produce blocks with the size of the coin (more BTC you burn/stake, the better your chance)
>
> This characteristic of PoB does not suggest that it would have that much different properties than PoS. So it should suffer from same problems as PoS. Namely, the problems I see now, with the given proposal from wiki, are:
>
> - there seems to be lack of definition of the heaviest chain and difficulty adjustment - this seems crucial, but likely solvable, I'm just saying it is importantly missing in the description
>
> - there seems to be a problem with nothing at stake (nothing at burn maybe?) - How that can be? Again, it seems that every burned coin can be used for free checks at any time after the initial waiting period. These free checks are indeed free and are the core of the nothing at stake problem in PoS. You seem to make those checks for free and you seem to be able to use those burned coins to create arbitrary number of forks build on any parent blocks of your choice, not just the last block of the heaviest chain. I can't see at the moment how is this different from PoS nothing at stake problem. Maybe you can explain?
>
> - it seems to me that there is a trivial attack against the scheme by a wealthy attacker. Suppose a common size of the burn is 1 BTC per block, suppose you define the heaviest chain rule somehow in relation to total number of burned coins or the cumulative "strength" of the "lowest" hashes, then you can just burn 20 UTXOs, each being 10 BTC in value, so you spent 200 BTC on this attack, but you are in very strong position because after you wait the needed time, you should be able to do pretty nasty reorg. Suppose that the main chain is A-B-C-D-E-F, so what you do at that point is that you just "try for free" all your 20 UTXOs, whether or not they can build on top of block A (which has 5 confs on top, F is the tip of the main chain). Since you have big UTXOs, your chances should be good, of course you can always try many times because you have a "lottery ticket" for every timestampt t. So with this you should be able, with good chance, to find such B' and then you have 19 UTXOs remaining to try to build on B' in the same way. I can't see what prevents this attack in the described scheme.
>
> - the ability to retroactively try all different kids of timestamp t seems devastating - you again get super easy and somewhat cheap attack (due to nothing at burn problem) that allows you to rewrite even long chains at will.
>
>
> Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
>
>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, May 28, 2021 9:06 PM, Erik Aronesty <erik@q32.com> wrote:
>
> > best writeup i know of is here:
> >
> > https://en.bitcoin.it/wiki/Proof_of_burn
> >
> > no formal proposals or proofs that i know of.
> >
> > On Fri, May 28, 2021 at 10:40 AM befreeandopen
> > befreeandopen@protonmail.com wrote:
> >
> > > Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it interesting up until now. Some of your recent claims seem quite strong to me and I'd like to read more.
> > > Forgive me if this has been mentioned recently, but is there a full specification of the concept you are referring to? I don't mean just the basic idea description (that much is clear to me), I mean a fully detailed proposal or technical documentation that would give me a precise information about what exactly it is that you are talking about.
> > > Sent with ProtonMail Secure Email.
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty erik@q32.com wrote:
> > >
> > > > note: the "nothing at stake" problem you propose is not broken for
> > > > proof-of-burn, because the attacker
> > > > a) has no idea which past transactions are burns
> > > > b) has no way to use his mining power, even 5%, to maliciously improve
> > > > his odds of being selected
> > > > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > > > befreeandopen@protonmail.com wrote:
> > > >
> > > > > @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
> > > > >
> > > > > 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> > > > > 2. They receive a new block minted by someone else.
> > > > > 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> > > > > 4. Profit!
> > > > >
> > > > > The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
> > > > > Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
> > > > > I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
> > > > > What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> > > > > Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > > > > How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
> > > > >
> > > > > > the problem is not as hard as you think
> > > > >
> > > > > I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
> > > > > This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
> > > > >
> > > > > > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
> > > > >
> > > > > I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
> > > > > Perhaps you should quote the full sentence and not just a part of it:
> > > > > "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
> > > > > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> > > > > In case of the punishment it was meant to be the not solve it completely part.
> > > > > Also "typically" does not imply always.
> > > > > But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
> > > > >
> > > > > > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
> > > > >
> > > > > Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
> > > > > This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
> > > > >
> > > > > > Just because of the above we must reject PoS as being critically insecure
> > > > >
> > > > > I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
> > > > > I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
> > > > > Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> > > > > On Tue, May 25, 2021 at 11:10 AM befreeandopen befreeandopen@protonmail.com wrote:
> > > > >
> > > > > > @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
> > > > > > The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
> > > > > > This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
> > > > > >
> > > > > > > I am not sure if this is what you call quorum-based PoS
> > > > > >
> > > > > > Yes, pre-selected minters is exactly what I mean by that.
> > > > > >
> > > > > > > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
> > > > > >
> > > > > > Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
> > > > > > I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> > > > > > Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
> > > > > > While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
> > > > > > Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
> > > > > > Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> > > > > > So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
> > > > > > It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
> > > > > > Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> > > > > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > > > > >
> > > > > > > > > you burn them to be used at a future particular block height
> > > > > > >
> > > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > >
> > > > > > > could be right. the original idea was to have burns decay over time,
> > > > > > > like ASIC's.
> > > > > > > anyway the point was not that "i had a magic formula"
> > > > > > > the point was that proof of burn is almost always better than proof of
> > > > > > > stake - simply because the "proof" is on-chain, not sitting on a node
> > > > > > > somewhere waiting to be stolen.
> > > > > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > >
> > > > > > > > Is this the kind of proof of burn you're talking about?
> > > > > > > >
> > > > > > > > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
> > > > > > > >
> > > > > > > > What prevents you from attempting to mine block 553 on both chains?
> > > > > > > >
> > > > > > > > > miners have a very strong, long-term, investment in the stability of the chain.
> > > > > > > >
> > > > > > > > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
> > > > > > > >
> > > > > > > > > you burn them to be used at a future particular block height
> > > > > > > >
> > > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > > >
> > > > > > > > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
> > > > > > > >
> > > > > > > > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
> > > > > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > >
> > > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > > > > >
> > > > > > > > > when you burn coins, you burn them to be used at a future particular
> > > > > > > > > block height: so if i'm burning for block 553, i can only use them to
> > > > > > > > > mine block 553. if i have a choice between two chains, one longer
> > > > > > > > > and one shorter, i can only choose one... deterministically, for that
> > > > > > > > > burn: the chain with the height 553. if we fix the "lead time" for
> > > > > > > > > burned coins to be weeks or even months in advance, miners have a very
> > > > > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > > > > deterministic, so miners have no choice. they can only choose the
> > > > > > > > > transactions that go into the block. they cannot choose which chain
> > > > > > > > > to mine, and it's time-locked, so rollbacks and instability always
> > > > > > > > > hurt miners the most.
> > > > > > > > > the "punishment" systems of PoS are "weird at best", certainly
> > > > > > > > > unproven. i can imagine scenarios where large stakeholders can
> > > > > > > > > collude to punish smaller stakeholders simply to drive them out of
> > > > > > > > > business, for example. and then you have to put checks in place to
> > > > > > > > > prevent that, and more checks for those prevention system...
> > > > > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > > > > typically more secure.
> > > > > > > > > PoB also solves problems caused by "energy dependence", which could
> > > > > > > > > lead to state monopolies on mining (like the new Bitcoin Mining
> > > > > > > > > Council). these consortiums, if state sanctioned, could become a
> > > > > > > > > source of censorship, for example. Since PoB doesn't require you to
> > > > > > > > > have a live, well-connected node, it's harder to censor & harder to
> > > > > > > > > trace.
> > > > > > > > > Eliminating this weakness seems to be in the best interests of
> > > > > > > > > existing stakeholders
> > > > > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > > > >
> > > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > >
> > > > > > > > > > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
> > > > > > > > > >
> > > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > >
> > > > > > > > > > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > > > > >
> > > > > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > > > > >
> > > > > > > > > > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
> > > > > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > >
> > > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > > >
> > > > > > > > > > > > how does proof of burn solve the "nothing at stake" problem in your view?
> > > > > > > > > > >
> > > > > > > > > > > definition of nothing at stake: in the event of a fork, whether the
> > > > > > > > > > > fork is accidental or a malicious, the optimal strategy for any miner
> > > > > > > > > > > is to mine on every chain, so that the miner gets their reward no
> > > > > > > > > > > matter which fork wins. indeed in proof-of-stake, the proofs are
> > > > > > > > > > > published on the very chains mines, so the incentive is magnified.
> > > > > > > > > > > in proof-of-burn, your burn investment is always "at stake", any
> > > > > > > > > > > redaction can result in a loss-of-burn, because burns can be tied,
> > > > > > > > > > > precisely, to block-heights
> > > > > > > > > > > as a result, miners no longer have an incentive to mine all chains
> > > > > > > > > > > in this way proof of burn can be more secure than proof-of-stake, and
> > > > > > > > > > > even more secure than proof of work
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Hi Billy,
> > > > > > > > > > > > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> > > > > > > > > > > > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > > > > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> > > > > > > > > > > > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> > > > > > > > > > > > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> > > > > > > > > > > > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > > > > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> > > > > > > > > > > > In PoS systems this clean separation of responsibilities does not exist.
> > > > > > > > > > > > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> > > > > > > > > > > > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > > > > But the devil is in the detail.
> > > > > > > > > > > > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
> > > > > > > > > > > >
> > > > > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > > > > >
> > > > > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > > > > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > > > > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> > > > > > > > > > > > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
> > > > > > > > > > > >
> > > > > > > > > > > > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
> > > > > > > > > > > >
> > > > > > > > > > > > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and you never help create a block without seeing it first.
> > > > > > > > > > > >
> > > > > > > > > > > > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> > > > > > > > > > > > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> > > > > > > > > > > > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> > > > > > > > > > > > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> > > > > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > > > > >
> > > > > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > > > > >
> > > > > > > > > > > > Algorand's4 approach is to only allow online stake to participate in the protocol.
> > > > > > > > > > > > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> > > > > > > > > > > > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"1 that will be used to create blocks on your coin holding key's behalf.
> > > > > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > > > > You can send your participation keys to any malicious party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > > > > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> > > > > > > > > > > > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
> > > > > > > > > > > >
> > > > > > > > > > > > ### Conclusion
> > > > > > > > > > > >
> > > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > > > > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> > > > > > > > > > > > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> > > > > > > > > > > > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> > > > > > > > > > > > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > > > > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
> > > > > > > > > > > > Would be interested to know if you or others think differently on these points.
> > > > > > > > > > > > Cheers,
> > > > > > > > > > > > LL
> > > > > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) without compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
> > > > > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> > > > > > > > > > > > >
> > > > > > > > > > > > > - The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> > > > > > > > > > > > > - The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> > > > > > > > > > > > > - The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > > > > - Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > > > > >
> > > > > > > > > > > > > People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> > > > > > > > > > > > >
> > > > > > > > > > > > > I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> > > > > > > > > > > > >
> > > > > > > > > > > > > I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
> > > > > > > > > > > > >
> > > > > > > > > > > > > Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > > > > >
> > > > > > > > > > > > > > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
> > > > > > > > > > > > >
> > > > > > > > > > > > > This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
> > > > > > > > > > > > >
> > > > > > > > > > > > > > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
> > > > > > > > > > > > >
> > > > > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
> > > > > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a different thread! :)
> > > > > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky mike@powx.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
> > > > > > > > > > > > > > > Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> > > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > > Mike
> > > > > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 2. my suggestion was specifically in the context of a working
> > > > > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - vdfs used only for timing (not block height)
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - blind-burned coins of a specific age used to replace proof of work
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - the required "work" per block would simply be a competition to
> > > > > > > > > > > > > > > > acquire rewards, and so miners would have to burn coins, well in
> > > > > > > > > > > > > > > > advance, and hope that their burned coins got rewarded in some far
> > > > > > > > > > > > > > > > future
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - the point of burned coins is to mimic, in every meaningful way, the
> > > > > > > > > > > > > > > > value gained from proof of work... without some of the security
> > > > > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - the miner risks losing all of his burned coins (like all miners risk
> > > > > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > - other requirements on burns might be needed to properly mirror the
> > > > > > > > > > > > > > > > properties of PoW and the incentives Bitcoin uses to mine honestly.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 3. i do believe it is possible that a "burned coin + vdf system"
> > > > > > > > > > > > > > > > might be more secure in the long run, and that if the entire space
> > > > > > > > > > > > > > > > agreed that such an endeavor was worthwhile, a test net could be spun
> > > > > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 4. i would never suggest such a thing unless i believed it was
> > > > > > > > > > > > > > > > possible that consensus was possible. so no, this is not an "alt
> > > > > > > > > > > > > > > > coin"
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood zachgrw@gmail.com wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > > > > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
> > > > > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > VDFs might enable more constant block times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > As a result, variation in block times will be greatly reduced.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > > > > Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even worse competition and even more energy consumption.
> > > > > > > > > > > > > > > > > > After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where only you can mine in the entire world.
> > > > > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > >
> > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > >
> > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-01 16:33 ` Erik Aronesty
@ 2021-06-01 19:26 ` befreeandopen
2021-06-01 20:28 ` Erik Aronesty
0 siblings, 1 reply; 67+ messages in thread
From: befreeandopen @ 2021-06-01 19:26 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
Comments inline.
> > Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
>
> Given your example, if !BTC is needed to burn, that's a $50k
> investment in an ASIC needed to mine a block. That's not anywhere
> near current levels. It's not even approaching the current PoW. A
> $50k investment to be a large amount of hash power is ... well,
> somewhere more than 10 years ago.
This is +- true with todays prices, that was not my point. We all know that today's total block revenue is nowhere near 1 BTC. If it is say 7 BTC, then we would expect that the miners spend roughly just about 7 BTC to produce the block - in long term, on average. Right? Today, this 7 BTC is supposed to be some average of investment into the mining rig, the building in which the rig exists (or its rent) and then some electricity. So when I said 1 BTC I meant that amount of BTC that is the sum of the block subsidy and fees at the time of this imagined switch to PoB. Use 7 BTC if you want to talk today. And yes, that seems very weak. But can you explain why it is not the case after switching to PoB that the cost of producing the block should roughly converge to to the revenue? Because I do not see why would miners spend more than what they can earn.
> My original proof-of-burn concept was designed to mimic ASICs as much
> as possible:
>
> 1. large initial investment (burn to acquire power)
> 2. continued investment (burn to activate power in each block, lost if
> block is not found)
>
> Ideally, the attacker would have to keep burning for each lottery
> ticket, which can only be used once. Committing that burn to a
> particular block for example.
>
> Any attack you propose for a "assumed well designed PoB" can also attack PoW.
> Any attack you propose for a "assumed well designed PoB" can also attack PoS.
>
> But there are some things PoB can do that PoS can't... which is really
> my original point.
This is the problem that I wanted to avoid. You refer to some "my original PoB", but I am strictly talking about the concept described in wiki because nothing else was provided to me. If we do not have a reference description of what you are talking about the debate will quickly turn into the classical debate with PoS supporters - I explain an attack and they "patch it", creating problem elsewhere. Then I explain an attack against that and they patch it there. And this goes infinitely.
So if there is some other version, better one than the one described in wiki, please let me know. If there is not, there is nothing to talk about really. You'd first need to define your model properly and describe very details of how it should work and then we can analyze it. It does not make much sense to me to analyze a ghost protocol that I always only see a tiny part of.
For example here above in the quoted text you mention some continual lost (if block is not found). If that is not the exponential decay as described in the wiki, then I have no idea what it is. I do not say that I can't imagine for myself what it could be, but it is up to you to define it, so we can be sure we are talking about the same thing.
Same with those early unblinding of burns - nothing about that in the wiki, so that concept is alien to me and it can not be subject to a debate before it is precisely described.
>
>
> - sunk costs/lost investment
> - "hashpower" is "offline", and cannot be seized.
>
> On Tue, Jun 1, 2021 at 4:21 AM befreeandopen
> befreeandopen@protonmail.com wrote:
>
>
> > Erik, thanks for the link. So referring to https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how this is supposed to be that much better over many proof of stake proposals. If there is more research on PoB, please note I'm not commenting on that as I only read this wiki article and my comments are purely related to this only.
> > I hope we can agree that the idea with manual insertion of entropy every week can be discarded, but at the same time I don't think it is a crucial point of the whole idea. So we can just focus on the rest of it.
> > Then the whole idea seems just like certain proof of stake implementations with just small differences, which I try to summarize:
> >
> > - in PoB, in order to use the coin for block production, you burn it in the past and wait some time -- in the certain PoS I'm talking about, in order to use the coin, you do not move the coin for some time - so in both there is the same idea - you somehow make the coin eligible for the block creation process by first doing some action followed by some inaction for some time; the difference here is that if later you use such coin in PoS, then after waiting more time, you can use the coin again (for whatever purpose), while in PoB the coin is gone forever (it is burned); this does not seem to be fundamentally different
> >
> > - in PoB, the author suggests there is an exponential decay of the power of the coin to create a block; in some PoS schemas, there historically was an era of so called CoinAge mechanism, which was somewhat inverse to this exponential decay, it was that the coin gets more power the older it is untouched, some implementations were for linear increase in the power, some exponential. Usually there was a certain limit - i.e. a maximum power the coin may have reached. It turned out quite quickly that such property is making attacks easier. PoB reverses the idea, but I don't think that helps that much. In any case, there seems to be an optimal period of time for each used coin, in both PoS and PoB, where the coin is most suitable for block production. I admit PoB version is better, but the crucial property here is that some coins are more powerful than other.
> >
> > - in both PoB and PoS it seems there is linear increase of the ability of the coin to produce blocks with the size of the coin (more BTC you burn/stake, the better your chance)
> >
> >
> > This characteristic of PoB does not suggest that it would have that much different properties than PoS. So it should suffer from same problems as PoS. Namely, the problems I see now, with the given proposal from wiki, are:
> >
> > - there seems to be lack of definition of the heaviest chain and difficulty adjustment - this seems crucial, but likely solvable, I'm just saying it is importantly missing in the description
> >
> > - there seems to be a problem with nothing at stake (nothing at burn maybe?) - How that can be? Again, it seems that every burned coin can be used for free checks at any time after the initial waiting period. These free checks are indeed free and are the core of the nothing at stake problem in PoS. You seem to make those checks for free and you seem to be able to use those burned coins to create arbitrary number of forks build on any parent blocks of your choice, not just the last block of the heaviest chain. I can't see at the moment how is this different from PoS nothing at stake problem. Maybe you can explain?
> >
> > - it seems to me that there is a trivial attack against the scheme by a wealthy attacker. Suppose a common size of the burn is 1 BTC per block, suppose you define the heaviest chain rule somehow in relation to total number of burned coins or the cumulative "strength" of the "lowest" hashes, then you can just burn 20 UTXOs, each being 10 BTC in value, so you spent 200 BTC on this attack, but you are in very strong position because after you wait the needed time, you should be able to do pretty nasty reorg. Suppose that the main chain is A-B-C-D-E-F, so what you do at that point is that you just "try for free" all your 20 UTXOs, whether or not they can build on top of block A (which has 5 confs on top, F is the tip of the main chain). Since you have big UTXOs, your chances should be good, of course you can always try many times because you have a "lottery ticket" for every timestampt t. So with this you should be able, with good chance, to find such B' and then you have 19 UTXOs remaining to try to build on B' in the same way. I can't see what prevents this attack in the described scheme.
> >
> > - the ability to retroactively try all different kids of timestamp t seems devastating - you again get super easy and somewhat cheap attack (due to nothing at burn problem) that allows you to rewrite even long chains at will.
> >
> >
> > Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Friday, May 28, 2021 9:06 PM, Erik Aronesty erik@q32.com wrote:
> >
> > > best writeup i know of is here:
> > > https://en.bitcoin.it/wiki/Proof_of_burn
> > > no formal proposals or proofs that i know of.
> > > On Fri, May 28, 2021 at 10:40 AM befreeandopen
> > > befreeandopen@protonmail.com wrote:
> > >
> > > > Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it interesting up until now. Some of your recent claims seem quite strong to me and I'd like to read more.
> > > > Forgive me if this has been mentioned recently, but is there a full specification of the concept you are referring to? I don't mean just the basic idea description (that much is clear to me), I mean a fully detailed proposal or technical documentation that would give me a precise information about what exactly it is that you are talking about.
> > > > Sent with ProtonMail Secure Email.
> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty erik@q32.com wrote:
> > > >
> > > > > note: the "nothing at stake" problem you propose is not broken for
> > > > > proof-of-burn, because the attacker
> > > > > a) has no idea which past transactions are burns
> > > > > b) has no way to use his mining power, even 5%, to maliciously improve
> > > > > his odds of being selected
> > > > > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > > > > befreeandopen@protonmail.com wrote:
> > > > >
> > > > > > @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
> > > > > >
> > > > > > 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> > > > > > 2. They receive a new block minted by someone else.
> > > > > > 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> > > > > > 4. Profit!
> > > > > >
> > > > > > The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
> > > > > > Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
> > > > > > I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
> > > > > > What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> > > > > > Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > > > > > How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
> > > > > >
> > > > > > > the problem is not as hard as you think
> > > > > >
> > > > > > I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
> > > > > > This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
> > > > > >
> > > > > > > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
> > > > > >
> > > > > > I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
> > > > > > Perhaps you should quote the full sentence and not just a part of it:
> > > > > > "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
> > > > > > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> > > > > > In case of the punishment it was meant to be the not solve it completely part.
> > > > > > Also "typically" does not imply always.
> > > > > > But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
> > > > > >
> > > > > > > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
> > > > > >
> > > > > > Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
> > > > > > This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
> > > > > >
> > > > > > > Just because of the above we must reject PoS as being critically insecure
> > > > > >
> > > > > > I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
> > > > > > I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
> > > > > > Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> > > > > > On Tue, May 25, 2021 at 11:10 AM befreeandopen befreeandopen@protonmail.com wrote:
> > > > > >
> > > > > > > @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
> > > > > > > The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
> > > > > > > This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
> > > > > > >
> > > > > > > > I am not sure if this is what you call quorum-based PoS
> > > > > > >
> > > > > > > Yes, pre-selected minters is exactly what I mean by that.
> > > > > > >
> > > > > > > > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
> > > > > > >
> > > > > > > Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
> > > > > > > I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> > > > > > > Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
> > > > > > > While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
> > > > > > > Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
> > > > > > > Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> > > > > > > So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
> > > > > > > It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
> > > > > > > Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> > > > > > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > > > > > >
> > > > > > > > > > you burn them to be used at a future particular block height
> > > > > > > >
> > > > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > > >
> > > > > > > > could be right. the original idea was to have burns decay over time,
> > > > > > > > like ASIC's.
> > > > > > > > anyway the point was not that "i had a magic formula"
> > > > > > > > the point was that proof of burn is almost always better than proof of
> > > > > > > > stake - simply because the "proof" is on-chain, not sitting on a node
> > > > > > > > somewhere waiting to be stolen.
> > > > > > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > > >
> > > > > > > > > Is this the kind of proof of burn you're talking about?
> > > > > > > > >
> > > > > > > > > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
> > > > > > > > >
> > > > > > > > > What prevents you from attempting to mine block 553 on both chains?
> > > > > > > > >
> > > > > > > > > > miners have a very strong, long-term, investment in the stability of the chain.
> > > > > > > > >
> > > > > > > > > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
> > > > > > > > >
> > > > > > > > > > you burn them to be used at a future particular block height
> > > > > > > > >
> > > > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > > > >
> > > > > > > > > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
> > > > > > > > >
> > > > > > > > > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
> > > > > > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > > >
> > > > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > > > > > >
> > > > > > > > > > when you burn coins, you burn them to be used at a future particular
> > > > > > > > > > block height: so if i'm burning for block 553, i can only use them to
> > > > > > > > > > mine block 553. if i have a choice between two chains, one longer
> > > > > > > > > > and one shorter, i can only choose one... deterministically, for that
> > > > > > > > > > burn: the chain with the height 553. if we fix the "lead time" for
> > > > > > > > > > burned coins to be weeks or even months in advance, miners have a very
> > > > > > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > > > > > deterministic, so miners have no choice. they can only choose the
> > > > > > > > > > transactions that go into the block. they cannot choose which chain
> > > > > > > > > > to mine, and it's time-locked, so rollbacks and instability always
> > > > > > > > > > hurt miners the most.
> > > > > > > > > > the "punishment" systems of PoS are "weird at best", certainly
> > > > > > > > > > unproven. i can imagine scenarios where large stakeholders can
> > > > > > > > > > collude to punish smaller stakeholders simply to drive them out of
> > > > > > > > > > business, for example. and then you have to put checks in place to
> > > > > > > > > > prevent that, and more checks for those prevention system...
> > > > > > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > > > > > typically more secure.
> > > > > > > > > > PoB also solves problems caused by "energy dependence", which could
> > > > > > > > > > lead to state monopolies on mining (like the new Bitcoin Mining
> > > > > > > > > > Council). these consortiums, if state sanctioned, could become a
> > > > > > > > > > source of censorship, for example. Since PoB doesn't require you to
> > > > > > > > > > have a live, well-connected node, it's harder to censor & harder to
> > > > > > > > > > trace.
> > > > > > > > > > Eliminating this weakness seems to be in the best interests of
> > > > > > > > > > existing stakeholders
> > > > > > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > > >
> > > > > > > > > > > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
> > > > > > > > > > >
> > > > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > > >
> > > > > > > > > > > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > > > > > >
> > > > > > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > > > > > >
> > > > > > > > > > > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
> > > > > > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > > > > >
> > > > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > >
> > > > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > > > >
> > > > > > > > > > > > > how does proof of burn solve the "nothing at stake" problem in your view?
> > > > > > > > > > > >
> > > > > > > > > > > > definition of nothing at stake: in the event of a fork, whether the
> > > > > > > > > > > > fork is accidental or a malicious, the optimal strategy for any miner
> > > > > > > > > > > > is to mine on every chain, so that the miner gets their reward no
> > > > > > > > > > > > matter which fork wins. indeed in proof-of-stake, the proofs are
> > > > > > > > > > > > published on the very chains mines, so the incentive is magnified.
> > > > > > > > > > > > in proof-of-burn, your burn investment is always "at stake", any
> > > > > > > > > > > > redaction can result in a loss-of-burn, because burns can be tied,
> > > > > > > > > > > > precisely, to block-heights
> > > > > > > > > > > > as a result, miners no longer have an incentive to mine all chains
> > > > > > > > > > > > in this way proof of burn can be more secure than proof-of-stake, and
> > > > > > > > > > > > even more secure than proof of work
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Hi Billy,
> > > > > > > > > > > > > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> > > > > > > > > > > > > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > > > > > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> > > > > > > > > > > > > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> > > > > > > > > > > > > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> > > > > > > > > > > > > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > > > > > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> > > > > > > > > > > > > In PoS systems this clean separation of responsibilities does not exist.
> > > > > > > > > > > > > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> > > > > > > > > > > > > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > > > > > But the devil is in the detail.
> > > > > > > > > > > > > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
> > > > > > > > > > > > >
> > > > > > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > > > > > >
> > > > > > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > > > > > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > > > > > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> > > > > > > > > > > > > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
> > > > > > > > > > > > >
> > > > > > > > > > > > > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
> > > > > > > > > > > > >
> > > > > > > > > > > > > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and you never help create a block without seeing it first.
> > > > > > > > > > > > >
> > > > > > > > > > > > > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> > > > > > > > > > > > > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> > > > > > > > > > > > > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> > > > > > > > > > > > > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> > > > > > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > > > > > >
> > > > > > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > > > > > >
> > > > > > > > > > > > > Algorand's4 approach is to only allow online stake to participate in the protocol.
> > > > > > > > > > > > > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> > > > > > > > > > > > > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"1 that will be used to create blocks on your coin holding key's behalf.
> > > > > > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > > > > > You can send your participation keys to any malicious party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > > > > > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> > > > > > > > > > > > > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
> > > > > > > > > > > > >
> > > > > > > > > > > > > ### Conclusion
> > > > > > > > > > > > >
> > > > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > > > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > > > > > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> > > > > > > > > > > > > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> > > > > > > > > > > > > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> > > > > > > > > > > > > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > > > > > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
> > > > > > > > > > > > > Would be interested to know if you or others think differently on these points.
> > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > LL
> > > > > > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) without compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
> > > > > > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> > > > > > > > > > > > > > - The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> > > > > > > > > > > > > > - The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > > > > > - Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
> > > > > > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a different thread! :)
> > > > > > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky mike@powx.org wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
> > > > > > > > > > > > > > > > Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> > > > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > > > Mike
> > > > > > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > 2. my suggestion was specifically in the context of a working
> > > > > > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - vdfs used only for timing (not block height)
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - blind-burned coins of a specific age used to replace proof of work
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - the required "work" per block would simply be a competition to
> > > > > > > > > > > > > > > > > acquire rewards, and so miners would have to burn coins, well in
> > > > > > > > > > > > > > > > > advance, and hope that their burned coins got rewarded in some far
> > > > > > > > > > > > > > > > > future
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - the point of burned coins is to mimic, in every meaningful way, the
> > > > > > > > > > > > > > > > > value gained from proof of work... without some of the security
> > > > > > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - the miner risks losing all of his burned coins (like all miners risk
> > > > > > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > - other requirements on burns might be needed to properly mirror the
> > > > > > > > > > > > > > > > > properties of PoW and the incentives Bitcoin uses to mine honestly.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > 3. i do believe it is possible that a "burned coin + vdf system"
> > > > > > > > > > > > > > > > > might be more secure in the long run, and that if the entire space
> > > > > > > > > > > > > > > > > agreed that such an endeavor was worthwhile, a test net could be spun
> > > > > > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > 4. i would never suggest such a thing unless i believed it was
> > > > > > > > > > > > > > > > > possible that consensus was possible. so no, this is not an "alt
> > > > > > > > > > > > > > > > > coin"
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood zachgrw@gmail.com wrote:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > > > > > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
> > > > > > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > VDFs might enable more constant block times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
> > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > As a result, variation in block times will be greatly reduced.
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > > > > > Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even worse competition and even more energy consumption.
> > > > > > > > > > > > > > > > > > > After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where only you can mine in the entire world.
> > > > > > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > >
> > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-01 19:26 ` befreeandopen
@ 2021-06-01 20:28 ` Erik Aronesty
2021-06-03 5:30 ` SatoshiSingh
0 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-06-01 20:28 UTC (permalink / raw)
To: befreeandopen; +Cc: Bitcoin Protocol Discussion, SatoshiSingh, Billy Tetrud
> the classical debate with PoS supporters - I explain an attack and they "patch it", creating problem elsewhere
i agree. my original post was:
"assume that we can accurately mimic the investment in ASIC's and the
expenditure of electricity with "burns" of coin representing that
investment"
only given that assumption can i state with confidence:
- proof of burn is better than proof of stake
and only because
- your stake is sitting on a node somewhere, able to be stolen
everything else is speculation about my original assumption.
overall a good PoB would have a
- large, up front buy-in event (buying the ASIC)
- delay function (timing)
- block-specific burn (electricity use... lost if burn is not selected)
- burns linked to specific buy-ins (can only burn the ASIC's i bought in)
- max-burn === max-buy-in (ASICs have capacity)
- max-burn decays over time (ASIC's become less valuable over time)
block-height === sum of block-specific burn
On Tue, Jun 1, 2021 at 3:26 PM befreeandopen
<befreeandopen@protonmail.com> wrote:
>
> Comments inline.
>
>
>
> > > Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
> >
> > Given your example, if !BTC is needed to burn, that's a $50k
> > investment in an ASIC needed to mine a block. That's not anywhere
> > near current levels. It's not even approaching the current PoW. A
> > $50k investment to be a large amount of hash power is ... well,
> > somewhere more than 10 years ago.
>
> This is +- true with todays prices, that was not my point. We all know that today's total block revenue is nowhere near 1 BTC. If it is say 7 BTC, then we would expect that the miners spend roughly just about 7 BTC to produce the block - in long term, on average. Right? Today, this 7 BTC is supposed to be some average of investment into the mining rig, the building in which the rig exists (or its rent) and then some electricity. So when I said 1 BTC I meant that amount of BTC that is the sum of the block subsidy and fees at the time of this imagined switch to PoB. Use 7 BTC if you want to talk today. And yes, that seems very weak. But can you explain why it is not the case after switching to PoB that the cost of producing the block should roughly converge to to the revenue? Because I do not see why would miners spend more than what they can earn.
>
>
>
>
>
> > My original proof-of-burn concept was designed to mimic ASICs as much
> > as possible:
> >
> > 1. large initial investment (burn to acquire power)
> > 2. continued investment (burn to activate power in each block, lost if
> > block is not found)
> >
> > Ideally, the attacker would have to keep burning for each lottery
> > ticket, which can only be used once. Committing that burn to a
> > particular block for example.
> >
> > Any attack you propose for a "assumed well designed PoB" can also attack PoW.
> > Any attack you propose for a "assumed well designed PoB" can also attack PoS.
> >
> > But there are some things PoB can do that PoS can't... which is really
> > my original point.
>
> This is the problem that I wanted to avoid. You refer to some "my original PoB", but I am strictly talking about the concept described in wiki because nothing else was provided to me. If we do not have a reference description of what you are talking about the debate will quickly turn into the classical debate with PoS supporters - I explain an attack and they "patch it", creating problem elsewhere. Then I explain an attack against that and they patch it there. And this goes infinitely.
>
> So if there is some other version, better one than the one described in wiki, please let me know. If there is not, there is nothing to talk about really. You'd first need to define your model properly and describe very details of how it should work and then we can analyze it. It does not make much sense to me to analyze a ghost protocol that I always only see a tiny part of.
>
> For example here above in the quoted text you mention some continual lost (if block is not found). If that is not the exponential decay as described in the wiki, then I have no idea what it is. I do not say that I can't imagine for myself what it could be, but it is up to you to define it, so we can be sure we are talking about the same thing.
>
> Same with those early unblinding of burns - nothing about that in the wiki, so that concept is alien to me and it can not be subject to a debate before it is precisely described.
>
>
>
>
> >
> >
> > - sunk costs/lost investment
> > - "hashpower" is "offline", and cannot be seized.
> >
> > On Tue, Jun 1, 2021 at 4:21 AM befreeandopen
> > befreeandopen@protonmail.com wrote:
> >
> >
> > > Erik, thanks for the link. So referring to https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how this is supposed to be that much better over many proof of stake proposals. If there is more research on PoB, please note I'm not commenting on that as I only read this wiki article and my comments are purely related to this only.
> > > I hope we can agree that the idea with manual insertion of entropy every week can be discarded, but at the same time I don't think it is a crucial point of the whole idea. So we can just focus on the rest of it.
> > > Then the whole idea seems just like certain proof of stake implementations with just small differences, which I try to summarize:
> > >
> > > - in PoB, in order to use the coin for block production, you burn it in the past and wait some time -- in the certain PoS I'm talking about, in order to use the coin, you do not move the coin for some time - so in both there is the same idea - you somehow make the coin eligible for the block creation process by first doing some action followed by some inaction for some time; the difference here is that if later you use such coin in PoS, then after waiting more time, you can use the coin again (for whatever purpose), while in PoB the coin is gone forever (it is burned); this does not seem to be fundamentally different
> > >
> > > - in PoB, the author suggests there is an exponential decay of the power of the coin to create a block; in some PoS schemas, there historically was an era of so called CoinAge mechanism, which was somewhat inverse to this exponential decay, it was that the coin gets more power the older it is untouched, some implementations were for linear increase in the power, some exponential. Usually there was a certain limit - i.e. a maximum power the coin may have reached. It turned out quite quickly that such property is making attacks easier. PoB reverses the idea, but I don't think that helps that much. In any case, there seems to be an optimal period of time for each used coin, in both PoS and PoB, where the coin is most suitable for block production. I admit PoB version is better, but the crucial property here is that some coins are more powerful than other.
> > >
> > > - in both PoB and PoS it seems there is linear increase of the ability of the coin to produce blocks with the size of the coin (more BTC you burn/stake, the better your chance)
> > >
> > >
> > > This characteristic of PoB does not suggest that it would have that much different properties than PoS. So it should suffer from same problems as PoS. Namely, the problems I see now, with the given proposal from wiki, are:
> > >
> > > - there seems to be lack of definition of the heaviest chain and difficulty adjustment - this seems crucial, but likely solvable, I'm just saying it is importantly missing in the description
> > >
> > > - there seems to be a problem with nothing at stake (nothing at burn maybe?) - How that can be? Again, it seems that every burned coin can be used for free checks at any time after the initial waiting period. These free checks are indeed free and are the core of the nothing at stake problem in PoS. You seem to make those checks for free and you seem to be able to use those burned coins to create arbitrary number of forks build on any parent blocks of your choice, not just the last block of the heaviest chain. I can't see at the moment how is this different from PoS nothing at stake problem. Maybe you can explain?
> > >
> > > - it seems to me that there is a trivial attack against the scheme by a wealthy attacker. Suppose a common size of the burn is 1 BTC per block, suppose you define the heaviest chain rule somehow in relation to total number of burned coins or the cumulative "strength" of the "lowest" hashes, then you can just burn 20 UTXOs, each being 10 BTC in value, so you spent 200 BTC on this attack, but you are in very strong position because after you wait the needed time, you should be able to do pretty nasty reorg. Suppose that the main chain is A-B-C-D-E-F, so what you do at that point is that you just "try for free" all your 20 UTXOs, whether or not they can build on top of block A (which has 5 confs on top, F is the tip of the main chain). Since you have big UTXOs, your chances should be good, of course you can always try many times because you have a "lottery ticket" for every timestampt t. So with this you should be able, with good chance, to find such B' and then you have 19 UTXOs remaining to try to build on B' in the same way. I can't see what prevents this attack in the described scheme.
> > >
> > > - the ability to retroactively try all different kids of timestamp t seems devastating - you again get super easy and somewhat cheap attack (due to nothing at burn problem) that allows you to rewrite even long chains at will.
> > >
> > >
> > > Could you explain what am I missing here, because this actually does not seem better, but rather worse than some PoS schemes?
> > > Sent with ProtonMail Secure Email.
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > On Friday, May 28, 2021 9:06 PM, Erik Aronesty erik@q32.com wrote:
> > >
> > > > best writeup i know of is here:
> > > > https://en.bitcoin.it/wiki/Proof_of_burn
> > > > no formal proposals or proofs that i know of.
> > > > On Fri, May 28, 2021 at 10:40 AM befreeandopen
> > > > befreeandopen@protonmail.com wrote:
> > > >
> > > > > Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it interesting up until now. Some of your recent claims seem quite strong to me and I'd like to read more.
> > > > > Forgive me if this has been mentioned recently, but is there a full specification of the concept you are referring to? I don't mean just the basic idea description (that much is clear to me), I mean a fully detailed proposal or technical documentation that would give me a precise information about what exactly it is that you are talking about.
> > > > > Sent with ProtonMail Secure Email.
> > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty erik@q32.com wrote:
> > > > >
> > > > > > note: the "nothing at stake" problem you propose is not broken for
> > > > > > proof-of-burn, because the attacker
> > > > > > a) has no idea which past transactions are burns
> > > > > > b) has no way to use his mining power, even 5%, to maliciously improve
> > > > > > his odds of being selected
> > > > > > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > > > > > befreeandopen@protonmail.com wrote:
> > > > > >
> > > > > > > @befreeandopen I guess I misunderstood your selfish minting attack. Let me make sure I understand it. You're saying it would go as follows?:
> > > > > > >
> > > > > > > 1. The malicious actor comes across an opportunity to mint the next 3 blocks. But they hold off and don't release their blocks just yet.
> > > > > > > 2. They receive a new block minted by someone else.
> > > > > > > 3. The malicious actor then chooses to release their other 2 blocks on on the second from the top block if it gives them more blocks in the future than minting on the top block. And instead lets the top block proceed if it gives them more blocks in the future (also figuring in the 3 blocks they're missing out on minting).
> > > > > > > 4. Profit!
> > > > > > >
> > > > > > > The problem with this attack is that any self respecting PoS system wouldn't have the information available for minters to know how blocks will affect their future prospects of minting. Otherwise this would introduce the problem of stake grinding. This can be done using collaborative randomness (where numbers from many parties are combined to create a random number that no individual party could predict). In fact, that's what the Casper protocol does to decide quorums. In a non quorum case, you can do something like record a hash of a number in the block header, and then have a second step to release that number later. Rewards can be given can be used to ensure minters act honestly here by minting messages that release these numbers and not releasing their secret numbers too early.
> > > > > > > Yes, you misunderstood it. First, let me say that the above thoughts of yours are incorrect, at least for non-quorum case. Since the transition in the blockchain system from S1 to S2 is only by adding new block, and since stakers always need to be able to decide whether or not they can add the next block, it follows that if a staker creates a new block locally, she can decide whether the new state allows her to add another block on top. As you mentioned, this COULD introduce problem of staking, that you are incorrect in that it is a necessity. Usual prevention of the grinding problem in this case is that an "old enough" source of randomness applies for the current block production process. Of course this, as it is typical for PoS, introduces other problems, but let's discard those.
> > > > > > > I will try to explain in detail what you misunderstood before. You start with a chain ending with blocks A-B-C, C being the top, the common feature of PoS system (non-quorum), roughly speaking, is that if N is the total amount of coins that participate in the staking process to create a new block on top of C (let's call that D), then a participant having K*N amount of stake has chance K to be the one who will create the next stake. In other words, the power of stakers is supposed to be linear in the system - you own 10 coins gives you 10x the chance of finding block over someone who has 1 coin.
> > > > > > > What i was claiming is that using the technique I have described, this linearity is violated. Why? Well, it works for honest stakers among the competition of honest stakers - they really do have the chance of K to find the next block. However, the attacker, using nothing at stake, checks her ability to build block D (at some timestamp). If she is successful, she does not propagate D immediately, but instead she also checks whether she can build on top of B and on top of A. Since with every new timestamp, usually, there is a new chance to build the block, it is not uncommon that she finds she is indeed able to build such block C' on top of B. Here it is likely t(C') > t(C) as the attacker has relatively low stake. Note that in order to produce such C', she not only could have tried the current timestamp t(D), but also all previous timestamps up to t(B) (usually that's the consensus rule, but it may depend on a specific consensus). So her chance to produce such C' is greater than her previous chance of producing C (which chance was limited by other stakers in the system and the discovery of block C by one of them). Now suppose that she found such C' and now she continues by trying to prolong this chain by finding D'. And again here, it is quite likely that her chance to find such D' is greater than was her chance of finding D because again there are likely multiple timestamps she could try. This all was possible just because nothing at stake allows you to just try if you can produce a block in certain state of block chain or not. Now if she actually was able to find D', she discards D and only publishes chain A-B-C'-D', which can not be punished despite the fact that she indeed produced two different forks. She can not be punished because this production was local and only the final result of A-B-C'-D' was published, in which case she gained an extra block over the honest strategy which would only give her block D.
> > > > > > > Fun fact tho: there is an attack called the "selfish mining attack" for proof of work, and it reduces the security of PoW by at least 1/3rd.
> > > > > > > How is that relevant to our discussion? This is known research that has nothing to do with PoS except that it is often worse on PoS.
> > > > > > >
> > > > > > > > the problem is not as hard as you think
> > > > > > >
> > > > > > > I don't claim to know just how hard finding the IP address associated with a bitcoin address is. However, the DOS risk can be solved more completely by only allowing the owner of coins themselves to know whether they can mint a block. Eg by determining whether someone can mint a block based on their public key hidden behind hashes (as normal in addresses). Only when someone does in fact mint a block do they reveal their hidden public key in order to prove they are allowed to mint the block.
> > > > > > > This is true, but you are mixing quorum and non-quorum systems. My objection here was towards such system where I specifically said that the list of producers for next epoch is known up front and you confirmed that this is what you meant with "quorum" system. So in such system, I claimed, the known producer is the only target at any given point of time. This of course does not apply to any other type of system where future producers are not known. No need to dispute, again, something that was not claimed.
> > > > > > >
> > > > > > > > I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message)
> > > > > > >
> > > > > > > I'm glad we agree there. Perhaps I misunderstood what you meant by "you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere."
> > > > > > > Perhaps you should quote the full sentence and not just a part of it:
> > > > > > > "Of course you can always change the rules in a way that a certain specific attack is not doable, but you should not omit to mention that by doing so, typically, you have introduced another problem elsewhere, or you have not solved it completely."
> > > > > > > You can parse this as: (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
> > > > > > > In case of the punishment it was meant to be the not solve it completely part.
> > > > > > > Also "typically" does not imply always.
> > > > > > > But this parsing of English sentences for you seems very off topic here. My point is, in context of Bitcoin, reject such unsupported claims that PoS is a reasonable alternative to PoW, let's stick to that.
> > > > > > >
> > > > > > > > As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake
> > > > > > >
> > > > > > > Well, if you're in the closed system of the cryptocurrency, sure. But we don't live in that closed system. Minters will earn some ROI from minting just like any other financial activity. Others may find more success spending their time doing things other than figuring out how to mint coins. In that case, they'll be able to earn more coin that they could later decide to use to mint blocks if they decide to.
> > > > > > > This only supports the point I was making. Since the optimal scenario with all existing coins participating is just theoretical, the attacker's position will ever so improve. It seems we are in agreement here, great.
> > > > > > >
> > > > > > > > Just because of the above we must reject PoS as being critically insecure
> > > > > > >
> > > > > > > I think the only thing we can conclude from this is that you have come up with an insecure proof of stake protocol. I don't see how anything you've brought up amounts to substantial evidence that all possible PoS protocols are insecure.
> > > > > > > I have not come up with anything. I'm afraid you've not realized the burden of proof is on your side if you vouch for a design that is not believed and trusted to be secure. It is up to you to show that you know how to solve every problem that people throw at you. So far we have just demonstrated that your claim that nothing at stake is solved was unjustified. You have not described a system that would solve it (and not introduce critical DDOS attack vector as it is in quorum based systems - per the prior definition of such systems).
> > > > > > > Of course the list of problems of PoS systems do not end with just nothing at stake, but it is good enough example that by itself prevents its adoption in decentralized consensus. No need to go to other hard problems without solving nothing at stake.
> > > > > > > On Tue, May 25, 2021 at 11:10 AM befreeandopen befreeandopen@protonmail.com wrote:
> > > > > > >
> > > > > > > > @befreeandopen " An attacker can calculate whether or not she can prolong this chain or not and if so with what timestamp."
> > > > > > > > The scenario you describe would only be likely to happen at all if the malicious actor has a very large fraction of the stake - probably quite close to 50%. At that point, you're talking about a 51% attack, not the nothing at stake problem. The nothing at stake problem is the problem where anyone will mint on any chain. Its clear that if there's a substantial punishment for minting on chains other than the one that eventually wins, every minter without a significant fraction of the stake will be honest and not attempt to mint on old blocks or support someone else's attempt to mint on old blocks (until and if it becomes the heaviest chain). Because the attacker would need probably >45% of the active stake (take a look at the reasoning here for a deeper analysis of that statement), I don't agree that punishment is not a sufficient mitigation of the nothing at stake problem. To exploit the nothing at stake problem, you basically need to 51% attack, at which point you've exceeded the operating conditions of the system, so of course its gonna have problems, just like a 51% attack would cause with PoW.
> > > > > > > > This is not at all the case. The attacker benefits using the described technique at any size of the stake and significantly so with just 5% of the stake. By significantly, I do not mean that the attacker is able to completely take control the network (in short term), but rather that the attacker has significant advantage in the number of blocks she creates compared to what she "should be able to create". This means the attacker's stake increases significantly faster than of the honest nodes, which in long term is very serious in PoS system. If you believe close to 50% is needed for that, you need to redo your math. So no, you are wrong stating that "to exploit nothing at stake problem you basically need to 51% attack". It is rather the opposite - eventually, nothing at stake attack leads to ability to perform 51% attack.
> > > > > > > >
> > > > > > > > > I am not sure if this is what you call quorum-based PoS
> > > > > > > >
> > > > > > > > Yes, pre-selected minters is exactly what I mean by that.
> > > > > > > >
> > > > > > > > > it allows the attacker to know who to attack at which point with powerful DDOS in order to hurt liveness of such system
> > > > > > > >
> > > > > > > > Just like in bitcoin, associating keys with IP addresses isn't generally an easy thing to do on the fly like that. If you know someone's IP address, you can target them. But if you only know their address or public key, the reverse isn't as easy. With a quorum-based PoS system, you can see their public key and address, but finding out their IP to DOS would be a huge challenge I think.
> > > > > > > > I do not dispute that the problem is not trivial, but the problem is not as hard as you think. The network graph analysis is a known technique and it is not trivial, but not very hard either. Introducing a large number of nodes to the system to achieve very good success rate of analysis of area of origin of blocks is doable and has been done in past. So again, I very much disagree with your conclusion that this is somehow secure. It is absolutely insecure.
> > > > > > > > Note, tho, that quorum-based PoS generally also have punishments as part of the protocol. The introduction of punishments do indeed handily solve the nothing at stake problem. And you didn't mention a single problem that the punishments introduce that weren't already there before punishments. There are tradeoffs with introducing punishments (eg in some cases you might punish honest actors), but they are minor in comparison to solving the nothing at stake problem.
> > > > > > > > While I agree that introduction of punishment itself does not imply introducing a problem elsewhere (which I did not claim if you reread my previous message), it does introduce additional complexity which may introduce problem, but more importantly, while it slightly improves resistance against the nothing at stake attack, it solves absolutely nothing. Your claim is based on wrong claim of needed close to 50% stake, but that could not be farther from the truth. It is not true even in optimal conditions when all participants of the network stake or delegate their stake. These optimal conditions rarely, if ever, occur. And that's another thing that we have not mention in our debate, so please allow me to introduce another problem to PoS.
> > > > > > > > Consider what is needed for such optimal conditions to occur - all coins are always part of the stake, which means that they need to somehow automatically part of the staking process even when they are moved. But in many PoS systems you usually require some age (in terms of confirmations) of the coin before you allow it to be used for participation in staking process and that is for a good reason - to prevent various grinding attacks. In some systems the coin must be specifically registered before it can be staked, in others, simply waiting for enough confirmations enables you to stake with the coin. I am not sure if there is a system which does not have this cooling period for a coin that has been moved. Maybe it is possible though, but AFAIK it is not common and not battle tested feature.
> > > > > > > > Then if we admit that achieving the optimal condition is rather theoretical. Then if we do not have the optimal condition, it means that a staker with K% of the total available supply increases it's percentage over time to some amounts >K%. As long as the staker makes sure (which is not that hard) that she does not miss a chance to create a block, her significance in the system will always increase in time. It will increase relative to all normal users who do not stake (if there are any) and relative to all other stakers who make mistakes or who are not wealthy enough to afford not selling any position ever. But powerful attacker is exactly in such position and thus she will gain significance in such a system. The technique I have described, and that you mistakenly think is viable only with huge amounts of stake, only puts the attacker to even greater advantage. But even without the described attack (which exploits nothing at stake), the PoS system converges to a system more and more controlled by powerful entity, which we can assume is the attacker.
> > > > > > > > So I don't think it is at all misleading to claim that "nothing at stake" is a solved problem. I do in fact mean that the solutions to that problem don't introduce any other problems with anywhere near the same level of significance.
> > > > > > > > It still stands as truly misleading claim. I disagree that introducing DDOS opportunity with medium level of difficulty for the attacker to implement it, in case of "quorum-based PoS" is not a problem anywhere near the same level of significance. Such an attack vector allows you to turn off the network if you spend some time and money. That is hardly acceptable.
> > > > > > > > Just because of the above we must reject PoS as being critically insecure until someone invents and demonstrates an actual way of solving these issues.
> > > > > > > > On Tue, May 25, 2021 at 3:00 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > >
> > > > > > > > > > > you burn them to be used at a future particular block height
> > > > > > > > >
> > > > > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > > > >
> > > > > > > > > could be right. the original idea was to have burns decay over time,
> > > > > > > > > like ASIC's.
> > > > > > > > > anyway the point was not that "i had a magic formula"
> > > > > > > > > the point was that proof of burn is almost always better than proof of
> > > > > > > > > stake - simply because the "proof" is on-chain, not sitting on a node
> > > > > > > > > somewhere waiting to be stolen.
> > > > > > > > > On Mon, May 24, 2021 at 9:53 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > > > >
> > > > > > > > > > Is this the kind of proof of burn you're talking about?
> > > > > > > > > >
> > > > > > > > > > > if i have a choice between two chains, one longer and one shorter, i can only choose one... deterministically
> > > > > > > > > >
> > > > > > > > > > What prevents you from attempting to mine block 553 on both chains?
> > > > > > > > > >
> > > > > > > > > > > miners have a very strong, long-term, investment in the stability of the chain.
> > > > > > > > > >
> > > > > > > > > > Yes, but the same can be said of any coin, even ones that do have the nothing at stake problem. This isn't sufficient tho because the chain is a common good, and the tragedy of the commons holds for it.
> > > > > > > > > >
> > > > > > > > > > > you burn them to be used at a future particular block height
> > > > > > > > > >
> > > > > > > > > > This sounds exploitable. It seems like an attacker could simply focus all their burns on a particular set of 6 blocks to double spend, minimizing their cost of attack.
> > > > > > > > > >
> > > > > > > > > > > i can imagine scenarios where large stakeholders can collude to punish smaller stakeholders simply to drive them out of business, for example
> > > > > > > > > >
> > > > > > > > > > Are you talking about a 51% attack? This is possible in any decentralized cryptocurrency.
> > > > > > > > > > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > > > >
> > > > > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > > > > > I'm fuzzy on how proof of burn works.
> > > > > > > > > > >
> > > > > > > > > > > when you burn coins, you burn them to be used at a future particular
> > > > > > > > > > > block height: so if i'm burning for block 553, i can only use them to
> > > > > > > > > > > mine block 553. if i have a choice between two chains, one longer
> > > > > > > > > > > and one shorter, i can only choose one... deterministically, for that
> > > > > > > > > > > burn: the chain with the height 553. if we fix the "lead time" for
> > > > > > > > > > > burned coins to be weeks or even months in advance, miners have a very
> > > > > > > > > > > strong, long-term, investment in the stability of the chain.
> > > > > > > > > > > therefore there is no "nothing at stake" problem. it's
> > > > > > > > > > > deterministic, so miners have no choice. they can only choose the
> > > > > > > > > > > transactions that go into the block. they cannot choose which chain
> > > > > > > > > > > to mine, and it's time-locked, so rollbacks and instability always
> > > > > > > > > > > hurt miners the most.
> > > > > > > > > > > the "punishment" systems of PoS are "weird at best", certainly
> > > > > > > > > > > unproven. i can imagine scenarios where large stakeholders can
> > > > > > > > > > > collude to punish smaller stakeholders simply to drive them out of
> > > > > > > > > > > business, for example. and then you have to put checks in place to
> > > > > > > > > > > prevent that, and more checks for those prevention system...
> > > > > > > > > > > in PoB, there is no complexity. simpler systems like this are
> > > > > > > > > > > typically more secure.
> > > > > > > > > > > PoB also solves problems caused by "energy dependence", which could
> > > > > > > > > > > lead to state monopolies on mining (like the new Bitcoin Mining
> > > > > > > > > > > Council). these consortiums, if state sanctioned, could become a
> > > > > > > > > > > source of censorship, for example. Since PoB doesn't require you to
> > > > > > > > > > > have a live, well-connected node, it's harder to censor & harder to
> > > > > > > > > > > trace.
> > > > > > > > > > > Eliminating this weakness seems to be in the best interests of
> > > > > > > > > > > existing stakeholders
> > > > > > > > > > > On Mon, May 24, 2021 at 4:44 PM Billy Tetrud billy.tetrud@gmail.com wrote:
> > > > > > > > > > >
> > > > > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > > > >
> > > > > > > > > > > > Well.. the coins to be burned need to be online when they're burned. But yes, only a small fraction of the total coins need to be online.
> > > > > > > > > > > >
> > > > > > > > > > > > > your burn investment is always "at stake", any redaction can result in a loss-of-burn, because burns can be tied, precisely, to block-heights
> > > > > > > > > > > >
> > > > > > > > > > > > So you're saying that if say someone tries to mine a block on a shorter chain, that requires them to send a transaction burning their coins, and that transaction could also be spent on the longest chain, which means their coins are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on how proof of burn works.
> > > > > > > > > > > >
> > > > > > > > > > > > > proof of burn can be more secure than proof-of-stake
> > > > > > > > > > > >
> > > > > > > > > > > > FYI, proof of stake can be done without the "nothing at stake" problem. You can simply punish people who mint on shorter chains (by rewarding people who publish proofs of this happening on the main chain). In quorum-based PoS, you can punish people in the quorum that propose or sign multiple blocks for the same height. The "nothing at stake" problem is a solved problem at this point for PoS.
> > > > > > > > > > > > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty erik@q32.com wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > > >
> > > > > > > > > > > > > proof of burn clearly solves this, since nothing is held online
> > > > > > > > > > > > >
> > > > > > > > > > > > > > how does proof of burn solve the "nothing at stake" problem in your view?
> > > > > > > > > > > > >
> > > > > > > > > > > > > definition of nothing at stake: in the event of a fork, whether the
> > > > > > > > > > > > > fork is accidental or a malicious, the optimal strategy for any miner
> > > > > > > > > > > > > is to mine on every chain, so that the miner gets their reward no
> > > > > > > > > > > > > matter which fork wins. indeed in proof-of-stake, the proofs are
> > > > > > > > > > > > > published on the very chains mines, so the incentive is magnified.
> > > > > > > > > > > > > in proof-of-burn, your burn investment is always "at stake", any
> > > > > > > > > > > > > redaction can result in a loss-of-burn, because burns can be tied,
> > > > > > > > > > > > > precisely, to block-heights
> > > > > > > > > > > > > as a result, miners no longer have an incentive to mine all chains
> > > > > > > > > > > > > in this way proof of burn can be more secure than proof-of-stake, and
> > > > > > > > > > > > > even more secure than proof of work
> > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
> > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Hi Billy,
> > > > > > > > > > > > > > I was going to write a post which started by dismissing many of the weak arguments that are made against PoS made in this thread and elsewhere.
> > > > > > > > > > > > > > Although I don't agree with all your points you have done a decent job here so I'll focus on the second part: why I think Proof-of-Stake is inappropriate for a Bitcoin-like system.
> > > > > > > > > > > > > > Proof of stake is not fit for purpose for a global settlement layer in a pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> > > > > > > > > > > > > > PoS necessarily gives responsibilities to the holders of coins that they do not want and cannot handle.
> > > > > > > > > > > > > > In Bitcoin, large unsophisticated coin holders can put their coins in cold storage without a second thought given to the health of the underlying ledger.
> > > > > > > > > > > > > > As much as hardcore Bitcoiners try to convince them to run their own node, most don't, and that's perfectly acceptable.
> > > > > > > > > > > > > > At no point do their personal decisions affect the underlying consensus -- it only affects their personal security assurance (not that of the system itself).
> > > > > > > > > > > > > > In PoS systems this clean separation of responsibilities does not exist.
> > > > > > > > > > > > > > I think that the more rigorously studied PoS protocols will work fine within the security claims made in their papers.
> > > > > > > > > > > > > > People who believe that these protocols are destined for catastrophic consensus failure are certainly in for a surprise.
> > > > > > > > > > > > > > But the devil is in the detail.
> > > > > > > > > > > > > > Let's look at what the implications of using the leading proof of stake protocols would have on Bitcoin:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ### Proof of SquareSpace (Cardano, Polkdadot)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Cardano is a UTXO based PoS coin based on Ouroboros Praos3 with an inbuilt on-chain delegation system5.
> > > > > > > > > > > > > > In these protocols, coin holders who do not want to run their node with their hot keys in it delegate it to a "Stake Pool".
> > > > > > > > > > > > > > I call the resulting system Proof-of-SquareSpace since most will choose a pool by looking around for one with a nice website and offering the largest share of the block reward.
> > > > > > > > > > > > > > On the surface this might sound no different than someone with an mining rig shopping around for a good mining pool but there are crucial differences:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 1. The person making the decision is forced into it just because they own the currency -- someone with a mining rig has purchased it with the intent to make profit by participating in consensus.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 2. When you join a mining pool your systems are very much still online. You are just partaking in a pool to reduce your profit variance. You still see every block that you help create and you never help create a block without seeing it first.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 3. If by SquareSpace sybil attack you gain a dishonest majority and start censoring transactions how are the users meant to redelegate their stake to honest pools?
> > > > > > > > > > > > > > I guess they can just send a transaction delegating to another pool...oh wait I guess that might be censored too! This seems really really bad.
> > > > > > > > > > > > > > In Bitcoin, miners can just join a different pool at a whim. There is nothing the attacker can do to stop them. A temporary dishonest majority heals relatively well.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > There is another severe disadvantage to this on-chain delegation system: every UTXO must indicate which staking account this UTXO belongs to so the appropriate share of block rewards can be transferred there.
> > > > > > > > > > > > > > Being able to associate every UTXO to an account ruins one of the main privacy advantages of the UTXO model.
> > > > > > > > > > > > > > It also grows the size of the blockchain significantly.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ### "Pure" proof of stake (Algorand)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Algorand's4 approach is to only allow online stake to participate in the protocol.
> > > > > > > > > > > > > > Theoretically, This means that keys holding funds have to be online in order for them to author blocks when they are chosen.
> > > > > > > > > > > > > > Of course in reality no one wants to keep their coin holding keys online so in Alogorand you can authorize a set of "participation keys"1 that will be used to create blocks on your coin holding key's behalf.
> > > > > > > > > > > > > > Hopefully you've spotted the problem.
> > > > > > > > > > > > > > You can send your participation keys to any malicious party with a nice website (see random example 2) offering you a good return.
> > > > > > > > > > > > > > Damn it's still Proof-of-SquareSpace!
> > > > > > > > > > > > > > The minor advantage is that at least the participation keys expire after a certain amount of time so eventually the SquareSpace attacker will lose their hold on consensus.
> > > > > > > > > > > > > > Importantly there is also less junk on the blockchain because the participation keys are delegated off-chain and so are not making as much of a mess.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ### Conclusion
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I don't see a way to get around the conflicting requirement that the keys for large amounts of coins should be kept offline but those are exactly the coins we need online to make the scheme secure.
> > > > > > > > > > > > > > If we allow delegation then we open up a new social attack surface and it degenerates to Proof-of-SquareSpace.
> > > > > > > > > > > > > > For a "digital gold" like system like Bitcoin we optimize for simplicity and desperately want to avoid extraneous responsibilities for the holder of the coin.
> > > > > > > > > > > > > > After all, gold is an inert element on the periodic table that doesn't confer responsibilities on the holder to maintain the quality of all the other bars of gold out there.
> > > > > > > > > > > > > > Bitcoin feels like this too and in many ways is more inert and beautifully boring than gold.
> > > > > > > > > > > > > > For Bitcoin to succeed I think we need to keep it that way and Proof-of-Stake makes everything a bit too exciting.
> > > > > > > > > > > > > > I suppose in the end the market will decide what is real digital gold and whether these bad technical trade offs are worth being able to say it uses less electricity. It goes without saying that making bad technical decisions to appease the current political climate is an anathema to Bitcoin.
> > > > > > > > > > > > > > Would be interested to know if you or others think differently on these points.
> > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > LL
> > > > > > > > > > > > > > On Fri, 21 May 2021 at 19:21, Billy Tetrud via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I think there is a lot of misinformation and bias against Proof of Stake. Yes there have been lots of shady coins that use insecure PoS mechanisms. Yes there have been massive issues with distribution of PoS coins (of course there have also been massive issues with PoW coins as well). However, I want to remind everyone that there is a difference between "proved to be impossible" and "have not achieved recognized success yet". Most of the arguments levied against PoS are out of date or rely on unproven assumptions or extrapolation from the analysis of a particular PoS system. I certainly don't think we should experiment with bitcoin by switching to PoS, but from my research, it seems very likely that there is a proof of stake consensus protocol we could build that has substantially higher security (cost / capital required to execute an attack) while at the same time costing far less resources (which do translate to fees on the network) without compromising any of the critical security properties bitcoin relies on. I think the critical piece of this is the disagreements around hardcoded checkpoints, which is a critical piece solving attacks that could be levied on a PoS chain, and how that does (or doesn't) affect the security model.
> > > > > > > > > > > > > > > @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 51% attack happens. While I agree, I think that line of thinking omits important facts:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - The capital required to 51% attack a PoS chain can be made substantially greater than on a PoS chain.
> > > > > > > > > > > > > > > - The capital the attacker stands to lose can be substantially greater as well if the attack is successful.
> > > > > > > > > > > > > > > - The effectiveness of paying miners to raise the honest fraction of miners above 50% may be quite bad.
> > > > > > > > > > > > > > > - Allowing a 51% attack is already unacceptable. It should be considered whether what happens in the case of a 51% may not be significantly different. The currency would likely be critically damaged in a 51% attack regardless of consensus mechanism.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Proof-of-stake tends towards oligopolistic control
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > People repeat this often, but the facts support this. There is no centralization pressure in any proof of stake mechanism that I'm aware of. IE if you have 10 times as much coin that you use to mint blocks, you should expect to earn 10x as much minting revenue - not more than 10x. By contrast, proof of work does in fact have clear centralization pressure - this is not disputed. Our goal in relation to that is to ensure that the centralization pressure remains insignifiant. Proof of work also clearly has a lot more barriers to entry than any proof of stake system does. Both of these mean the tendency towards oligopolistic control is worse for PoW.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I certainly agree. Bitcoin's energy usage at the moment is I think quite warranted. However, the question is: can we do substantially better. I think if we can, we probably should... eventually.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Proof of Stake is only resilient to ⅓ of the network demonstrating a Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I see no mention of this in the pos.pdf you linked to. I'm not aware of any proof that all PoS systems have a failure threshold of 1/3. I know that staking systems like Casper do in fact have that 1/3 requirement. However there are PoS designs that should exceed that up to nearly 50% as far as I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold in the way you would think. IE, if 100% of miners are currently honest and have a collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is because as the attacker accumulates hashpower, it drives honest miners out of the market as the difficulty increases to beyond what is economically sustainable. Also, its been shown that the best proof of work can do is require an attacker to obtain 33% of the hashpower because of the selfish mining attack discussed in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Proof of Stake requires other trade-offs which are incompatible with Bitcoin's objective (to be a trustless digital cash) — specifically the famous "security vs. liveness" guarantee
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Do you have a good source that talks about why you think proof of stake cannot be used for a trustless digital cash?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > You cannot gain tokens without someone choosing to give up those coins - a form of permission.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > This is not a practical constraint. Just like in mining, some nodes may reject you, but there will likely be more that will accept you, some sellers may reject you, but most would accept your money as payment for bitcoins. I don't think requiring the "permission" of one of millions of people in the market can be reasonably considered a "permissioned currency".
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 2. Proof of stake must have a trusted means of timestamping to regulate overproduction of blocks
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Both PoW and PoS could mine/mint blocks twice as fast if everyone agreed to double their clock speeds. Both systems rely on an honest majority sticking to standard time.
> > > > > > > > > > > > > > > On Wed, May 19, 2021 at 5:32 AM Michael Dubrovsky via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Ah sorry, I didn't realize this was, in fact, a different thread! :)
> > > > > > > > > > > > > > > > On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky mike@powx.org wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself. PoS, VDFs, and so on are interesting but I guess there are other threads going on these topics already where they would be relevant.
> > > > > > > > > > > > > > > > > Also, it's important to distinguish between oPoW and these other "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter the core game theory or security assumptions of Hashcash and actually contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
> > > > > > > > > > > > > > > > > Cheers,
> > > > > > > > > > > > > > > > > Mike
> > > > > > > > > > > > > > > > > On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 1. i never suggested vdf's to replace pow.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 2. my suggestion was specifically in the context of a working
> > > > > > > > > > > > > > > > > > proof-of-burn protocol
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - vdfs used only for timing (not block height)
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - blind-burned coins of a specific age used to replace proof of work
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - the required "work" per block would simply be a competition to
> > > > > > > > > > > > > > > > > > acquire rewards, and so miners would have to burn coins, well in
> > > > > > > > > > > > > > > > > > advance, and hope that their burned coins got rewarded in some far
> > > > > > > > > > > > > > > > > > future
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - the point of burned coins is to mimic, in every meaningful way, the
> > > > > > > > > > > > > > > > > > value gained from proof of work... without some of the security
> > > > > > > > > > > > > > > > > > drawbacks
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - the miner risks losing all of his burned coins (like all miners risk
> > > > > > > > > > > > > > > > > > losing their work in each block)
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - new burns can't be used
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - old burns age out (like ASICs do)
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > - other requirements on burns might be needed to properly mirror the
> > > > > > > > > > > > > > > > > > properties of PoW and the incentives Bitcoin uses to mine honestly.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 3. i do believe it is possible that a "burned coin + vdf system"
> > > > > > > > > > > > > > > > > > might be more secure in the long run, and that if the entire space
> > > > > > > > > > > > > > > > > > agreed that such an endeavor was worthwhile, a test net could be spun
> > > > > > > > > > > > > > > > > > up, and a hard-fork could be initiated.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > 4. i would never suggest such a thing unless i believed it was
> > > > > > > > > > > > > > > > > > possible that consensus was possible. so no, this is not an "alt
> > > > > > > > > > > > > > > > > > coin"
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > On Tue, May 18, 2021 at 10:02 AM Zac Greenwood zachgrw@gmail.com wrote:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > Hi ZmnSCPxj,
> > > > > > > > > > > > > > > > > > > Please note that I am not suggesting VDFs as a means to save energy, but solely as a means to make the time between blocks more constant.
> > > > > > > > > > > > > > > > > > > Zac
> > > > > > > > > > > > > > > > > > > On Tue, 18 May 2021 at 12:42, ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
> > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > Good morning Zac,
> > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > > VDFs might enable more constant block times, for instance by having a two-step PoW:
> > > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to difficulty adjustments similar to the as-is). As per the property of VDFs, miners are able show proof of work.
> > > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > > 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 minute on average, again subject to as-is difficulty adjustments.
> > > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > > As a result, variation in block times will be greatly reduced.
> > > > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > > > As I understand it, another weakness of VDFs is that they are not inherently progress-free (their sequential nature prevents that; they are inherently progress-requiring).
> > > > > > > > > > > > > > > > > > > > Thus, a miner which focuses on improving the amount of energy that it can pump into the VDF circuitry (by overclocking and freezing the circuitry), could potentially get into a winner-takes-all situation, possibly leading to even worse competition and even more energy consumption.
> > > > > > > > > > > > > > > > > > > > After all, if you can start mining 0.1s faster than the competition, that is a 0.1s advantage where only you can mine in the entire world.
> > > > > > > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > > > > > > ZmnSCPxj
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > Michael Dubrovsky
> > > > > > > > > > > > > > > > Founder; PoWx
> > > > > > > > > > > > > > > > www.PoWx.org
> > > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > bitcoin-dev mailing list
> > > > > > > > > > > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > > > > > > > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-01 20:28 ` Erik Aronesty
@ 2021-06-03 5:30 ` SatoshiSingh
2021-06-07 6:15 ` Billy Tetrud
0 siblings, 1 reply; 67+ messages in thread
From: SatoshiSingh @ 2021-06-03 5:30 UTC (permalink / raw)
To: Erik Aronesty, befreeandopen, billy.tetrud; +Cc: Bitcoin Protocol Discussion
Great conversation everyone. I'm happy we're still engaged with this discussion. To add food for thought I'm bringing back something that was introduced in this mailing list sometime ago, which is Proof of Less Work.
PoLW may or may not be it but we can certainly get more ideas from it to keep the discussion going.
https://raw.githubusercontent.com/alephium/research/master/polw.pdf
Sent with ProtonMail Secure Email.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-03 5:30 ` SatoshiSingh
@ 2021-06-07 6:15 ` Billy Tetrud
0 siblings, 0 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-06-07 6:15 UTC (permalink / raw)
To: SatoshiSingh; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]
@SatoshiSingh PoLW sounds like a hybrid of PoW and proof of burn. I agree
with befreeandopen that proof of burn is basically a form of proof of
stake. My conclusion from this exploration
<https://github.com/fresheneesz/proofOfTimeOwnership> is that hybrid
protocols are a dead end because hybrid protocols have one weaker link
that's easier to attack.
In this case, miners are burning coinbase rewards. The proof of stake is
the burn itself. However, a miner would only burn coins if doing so lead to
greater rewards in the future. So the burned coins are in fact actually
earned, and still have value. Therefore I would think that miners would
still do an amount of work totaling up to the full value of the block
reward, regardless of whether they burn it, because any burnt coins should
be expected to lead to more coins in the future than were burned. What am I
missing?
On Wed, Jun 2, 2021 at 10:30 PM SatoshiSingh <SatoshiSingh@protonmail.com>
wrote:
> Great conversation everyone. I'm happy we're still engaged with this
> discussion. To add food for thought I'm bringing back something that was
> introduced in this mailing list sometime ago, which is Proof of Less Work.
>
> PoLW may or may not be it but we can certainly get more ideas from it to
> keep the discussion going.
>
> https://raw.githubusercontent.com/alephium/research/master/polw.pdf
>
>
> Sent with ProtonMail Secure Email.
>
>
[-- Attachment #2: Type: text/html, Size: 1889 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-05-23 3:41 ` Lloyd Fournier
2021-05-23 19:10 ` Billy Tetrud
2021-05-24 13:47 ` Erik Aronesty
@ 2021-06-15 11:13 ` James MacWhyte
2021-06-17 1:48 ` Lloyd Fournier
2021-06-17 3:31 ` Cloud Strife
2 siblings, 2 replies; 67+ messages in thread
From: James MacWhyte @ 2021-06-15 11:13 UTC (permalink / raw)
To: Lloyd Fournier, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]
@Lloyd wrote:
Of course in reality no one wants to keep their coin holding keys online so
> in Alogorand you can authorize a set of "participation keys"[1] that will
> be used to create blocks on your coin holding key's behalf.
> Hopefully you've spotted the problem.
> You can send your participation keys to any malicious party with a nice
> website (see random example [2]) offering you a good return.
> Damn it's still Proof-of-SquareSpace!
>
I believe we are talking about a comparison to PoW, correct? If you want to
mine PoW, you need to buy expensive hardware and configure it to work, and
wait a long time to get any return by solo mining. Or you can join a mining
pool, which might use your hashing power for nefarious purposes. Or you
might skip the hardware all together and fall for some "cloud mining"
scheme with a pretty website and a high rate of advertised return. So as
you can see, Proof-of-SquareSpace exists in PoW as well!
The PoS equivalent of buying mining hardware is setting up your own
validator and not outsourcing that to anyone else. So both PoW and PoS have
the professional/expert way of participating, and the fraud-prone, amateur
way of participating. The only difference is, with PoS the
professional/expert way is accessible to anyone with a raspberry Pi and a
web connection, which is a much lower barrier to entry than PoW.
[-- Attachment #2: Type: text/html, Size: 1824 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-15 11:13 ` James MacWhyte
@ 2021-06-17 1:48 ` Lloyd Fournier
2021-06-17 3:31 ` Cloud Strife
1 sibling, 0 replies; 67+ messages in thread
From: Lloyd Fournier @ 2021-06-17 1:48 UTC (permalink / raw)
To: James MacWhyte; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2195 bytes --]
@James wrote:
On Tue, 15 Jun 2021 at 21:13, James MacWhyte <macwhyte@gmail.com> wrote:
>
> @Lloyd wrote:
>
> Of course in reality no one wants to keep their coin holding keys online
>> so in Alogorand you can authorize a set of "participation keys"[1] that
>> will be used to create blocks on your coin holding key's behalf.
>> Hopefully you've spotted the problem.
>> You can send your participation keys to any malicious party with a nice
>> website (see random example [2]) offering you a good return.
>> Damn it's still Proof-of-SquareSpace!
>>
>
> I believe we are talking about a comparison to PoW, correct? If you want
> to mine PoW, you need to buy expensive hardware and configure it to work,
> and wait a long time to get any return by solo mining. Or you can join a
> mining pool, which might use your hashing power for nefarious purposes.
>
A mining pool using your hashrate for nefarious purposes can easily be
observed since they send you the contents of the block you are mining
before your hardware starts working on it. This difference is crucial.
Mining pools exist just to reduce income variance.
> Or you might skip the hardware all together and fall for some "cloud
> mining" scheme with a pretty website and a high rate of advertised return.
> So as you can see, Proof-of-SquareSpace exists in PoW as well!
>
I'd agree that "cloud mining" pretty much is Proof-of-SquareSpace for PoW.
Fortunately these services make up a tiny fraction of hashrate.
> The PoS equivalent of buying mining hardware is setting up your own
> validator and not outsourcing that to anyone else. So both PoW and PoS have
> the professional/expert way of participating, and the fraud-prone, amateur
> way of participating. The only difference is, with PoS the
> professional/expert way is accessible to anyone with a raspberry Pi and a
> web connection, which is a much lower barrier to entry than PoW.
>
And yet despite this, the fraud-prone amteur way of participating accounts
for the majority of stake in PoS systems while the professional/expert way
of participating accounts for the overwhelming majority of hashpower in
Bitcoin. It looks like you have elegantly proved my point!
LL
[-- Attachment #2: Type: text/html, Size: 3377 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-15 11:13 ` James MacWhyte
2021-06-17 1:48 ` Lloyd Fournier
@ 2021-06-17 3:31 ` Cloud Strife
2021-06-22 17:45 ` Billy Tetrud
1 sibling, 1 reply; 67+ messages in thread
From: Cloud Strife @ 2021-06-17 3:31 UTC (permalink / raw)
To: James MacWhyte, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2911 bytes --]
Barrier to entry in PoW is matter for hardware and energy is permissionless
and exist all over the universe, permissionless cost which exists for
everyone no matter who because it's unforgeable.
Barrier to entry in PoS is being given permission by the previous owner of
a token for you to have it via transfer or sale, both choices they never
have to make since there are no continuous costs with producing blocks
forcing it. A permission is an infinitely high barrier to entry if the
previous owner, like the premining party, refuses to give up the token they
control.
You're skipping the part where you depend on a permission of a central
party in control of the authority token before you can produce blocks on
your rasberry Pi.
Proof of stake is not in any possible way relevant to permissionless
protocols, and thus not possibly relevant to decentralized protocols where
control must be distributed to independent (i.e. permissionless) parties.
There's nothing of relevance to discuss and this has been figured out long
long ago.
https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> @Lloyd wrote:
>
> Of course in reality no one wants to keep their coin holding keys online
>> so in Alogorand you can authorize a set of "participation keys"[1] that
>> will be used to create blocks on your coin holding key's behalf.
>> Hopefully you've spotted the problem.
>> You can send your participation keys to any malicious party with a nice
>> website (see random example [2]) offering you a good return.
>> Damn it's still Proof-of-SquareSpace!
>>
>
> I believe we are talking about a comparison to PoW, correct? If you want
> to mine PoW, you need to buy expensive hardware and configure it to work,
> and wait a long time to get any return by solo mining. Or you can join a
> mining pool, which might use your hashing power for nefarious purposes. Or
> you might skip the hardware all together and fall for some "cloud mining"
> scheme with a pretty website and a high rate of advertised return. So as
> you can see, Proof-of-SquareSpace exists in PoW as well!
>
> The PoS equivalent of buying mining hardware is setting up your own
> validator and not outsourcing that to anyone else. So both PoW and PoS have
> the professional/expert way of participating, and the fraud-prone, amateur
> way of participating. The only difference is, with PoS the
> professional/expert way is accessible to anyone with a raspberry Pi and a
> web connection, which is a much lower barrier to entry than PoW.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 4182 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-17 3:31 ` Cloud Strife
@ 2021-06-22 17:45 ` Billy Tetrud
2021-06-23 18:14 ` Keagan McClelland
0 siblings, 1 reply; 67+ messages in thread
From: Billy Tetrud @ 2021-06-22 17:45 UTC (permalink / raw)
To: Cloud Strife, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 4468 bytes --]
> Barrier to entry in PoS is being given permission by the previous owner
of a token
The idea that proof of stake is not permissionless is completely invalid.
It pains me to see such an argument here. Perhaps we can come to an
agreement by being more specific. I'd like to propose the following:
Premise: There is a healthy exchange market for PoS Coin X with tens of
thousands of participants bidding to buy and sell the coin for other
currencies on the market.
If the premise above is true, then there is no significant permission
needed to enter the market for minting blocks for PoS Coin X. If you make a
bid on someone's coins and they don't like you and refuse, you can move on
to any one of the other tens of thousands of people in that marketplace.
Would you agree, Cloud Strife, that this situation couldn't be considered
"permissioned"?
If not, consider that participation in *any* decentralized system requires
the permission of at least one user in that system. If there are thousands
of bitcoin public nodes, you require the permission of at least one of them
to participate in bitcoin. No one considers bitcoin "permissioned" because
of this. Do you agree?
On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Barrier to entry in PoW is matter for hardware and energy is
> permissionless and exist all over the universe, permissionless cost which
> exists for everyone no matter who because it's unforgeable.
>
> Barrier to entry in PoS is being given permission by the previous owner of
> a token for you to have it via transfer or sale, both choices they never
> have to make since there are no continuous costs with producing blocks
> forcing it. A permission is an infinitely high barrier to entry if the
> previous owner, like the premining party, refuses to give up the token they
> control.
>
> You're skipping the part where you depend on a permission of a central
> party in control of the authority token before you can produce blocks on
> your rasberry Pi.
>
> Proof of stake is not in any possible way relevant to permissionless
> protocols, and thus not possibly relevant to decentralized protocols where
> control must be distributed to independent (i.e. permissionless) parties.
>
> There's nothing of relevance to discuss and this has been figured out long
> long ago.
>
> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>
>
> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>
>
>
>
> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>>
>> @Lloyd wrote:
>>
>> Of course in reality no one wants to keep their coin holding keys online
>>> so in Alogorand you can authorize a set of "participation keys"[1] that
>>> will be used to create blocks on your coin holding key's behalf.
>>> Hopefully you've spotted the problem.
>>> You can send your participation keys to any malicious party with a nice
>>> website (see random example [2]) offering you a good return.
>>> Damn it's still Proof-of-SquareSpace!
>>>
>>
>> I believe we are talking about a comparison to PoW, correct? If you want
>> to mine PoW, you need to buy expensive hardware and configure it to work,
>> and wait a long time to get any return by solo mining. Or you can join a
>> mining pool, which might use your hashing power for nefarious purposes. Or
>> you might skip the hardware all together and fall for some "cloud mining"
>> scheme with a pretty website and a high rate of advertised return. So as
>> you can see, Proof-of-SquareSpace exists in PoW as well!
>>
>> The PoS equivalent of buying mining hardware is setting up your own
>> validator and not outsourcing that to anyone else. So both PoW and PoS have
>> the professional/expert way of participating, and the fraud-prone, amateur
>> way of participating. The only difference is, with PoS the
>> professional/expert way is accessible to anyone with a raspberry Pi and a
>> web connection, which is a much lower barrier to entry than PoW.
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 6326 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-22 17:45 ` Billy Tetrud
@ 2021-06-23 18:14 ` Keagan McClelland
2021-06-24 0:14 ` Billy Tetrud
0 siblings, 1 reply; 67+ messages in thread
From: Keagan McClelland @ 2021-06-23 18:14 UTC (permalink / raw)
To: Billy Tetrud, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 5701 bytes --]
> Premise: There is a healthy exchange market for PoS Coin X with tens of
thousands of participants bidding to buy and sell the coin for other
currencies on the market.
The difference here though is that Proof of Stake allows the quorum of coin
holders to block the exchange of said coins if they are going to a
particular destination. Nothing requires these staking nodes to include
particular transactions into a block. With that in mind, it isn't just that
you require the permission of the person who sold you the coins, which I
can agree is a less dangerous form of permission, but you must also require
the permission of at least 51% of the coin holders to even receive those
coins in the first place. This is not true in a Proof of Work system and
this difference absolutely should not be trivialized.
Keagan
On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> > Barrier to entry in PoS is being given permission by the previous owner
> of a token
>
> The idea that proof of stake is not permissionless is completely invalid.
> It pains me to see such an argument here. Perhaps we can come to an
> agreement by being more specific. I'd like to propose the following:
>
> Premise: There is a healthy exchange market for PoS Coin X with tens of
> thousands of participants bidding to buy and sell the coin for other
> currencies on the market.
>
> If the premise above is true, then there is no significant permission
> needed to enter the market for minting blocks for PoS Coin X. If you make a
> bid on someone's coins and they don't like you and refuse, you can move on
> to any one of the other tens of thousands of people in that marketplace.
> Would you agree, Cloud Strife, that this situation couldn't be considered
> "permissioned"?
>
> If not, consider that participation in *any* decentralized system requires
> the permission of at least one user in that system. If there are thousands
> of bitcoin public nodes, you require the permission of at least one of them
> to participate in bitcoin. No one considers bitcoin "permissioned" because
> of this. Do you agree?
>
> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Barrier to entry in PoW is matter for hardware and energy is
>> permissionless and exist all over the universe, permissionless cost which
>> exists for everyone no matter who because it's unforgeable.
>>
>> Barrier to entry in PoS is being given permission by the previous owner
>> of a token for you to have it via transfer or sale, both choices they never
>> have to make since there are no continuous costs with producing blocks
>> forcing it. A permission is an infinitely high barrier to entry if the
>> previous owner, like the premining party, refuses to give up the token they
>> control.
>>
>> You're skipping the part where you depend on a permission of a central
>> party in control of the authority token before you can produce blocks on
>> your rasberry Pi.
>>
>> Proof of stake is not in any possible way relevant to permissionless
>> protocols, and thus not possibly relevant to decentralized protocols where
>> control must be distributed to independent (i.e. permissionless) parties.
>>
>> There's nothing of relevance to discuss and this has been figured out
>> long long ago.
>>
>>
>> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>>
>>
>> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>>
>>
>>
>>
>> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>>
>>> @Lloyd wrote:
>>>
>>> Of course in reality no one wants to keep their coin holding keys online
>>>> so in Alogorand you can authorize a set of "participation keys"[1] that
>>>> will be used to create blocks on your coin holding key's behalf.
>>>> Hopefully you've spotted the problem.
>>>> You can send your participation keys to any malicious party with a nice
>>>> website (see random example [2]) offering you a good return.
>>>> Damn it's still Proof-of-SquareSpace!
>>>>
>>>
>>> I believe we are talking about a comparison to PoW, correct? If you want
>>> to mine PoW, you need to buy expensive hardware and configure it to work,
>>> and wait a long time to get any return by solo mining. Or you can join a
>>> mining pool, which might use your hashing power for nefarious purposes. Or
>>> you might skip the hardware all together and fall for some "cloud mining"
>>> scheme with a pretty website and a high rate of advertised return. So as
>>> you can see, Proof-of-SquareSpace exists in PoW as well!
>>>
>>> The PoS equivalent of buying mining hardware is setting up your own
>>> validator and not outsourcing that to anyone else. So both PoW and PoS have
>>> the professional/expert way of participating, and the fraud-prone, amateur
>>> way of participating. The only difference is, with PoS the
>>> professional/expert way is accessible to anyone with a raspberry Pi and a
>>> web connection, which is a much lower barrier to entry than PoW.
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 8007 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-23 18:14 ` Keagan McClelland
@ 2021-06-24 0:14 ` Billy Tetrud
2021-06-24 0:37 ` Keagan McClelland
2021-06-24 17:34 ` yanmaani
0 siblings, 2 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-06-24 0:14 UTC (permalink / raw)
To: Keagan McClelland; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 6317 bytes --]
> This is not true in a Proof of Work system and this difference
absolutely should not be trivialized.
That is in fact true of Proof of Work as well. If a colluding coalition of
miners with more than 50% of the hashrate want to censor transactions, they
absolutely can do that by orphaning blocks that contain transactions
they want to censor. This is not different in proof of stake.
On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland <
keagan.mcclelland@gmail.com> wrote:
> > Premise: There is a healthy exchange market for PoS Coin X with tens of
> thousands of participants bidding to buy and sell the coin for other
> currencies on the market.
>
> The difference here though is that Proof of Stake allows the quorum of
> coin holders to block the exchange of said coins if they are going to a
> particular destination. Nothing requires these staking nodes to include
> particular transactions into a block. With that in mind, it isn't just that
> you require the permission of the person who sold you the coins, which I
> can agree is a less dangerous form of permission, but you must also require
> the permission of at least 51% of the coin holders to even receive those
> coins in the first place. This is not true in a Proof of Work system and
> this difference absolutely should not be trivialized.
>
> Keagan
>
> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> > Barrier to entry in PoS is being given permission by the previous
>> owner of a token
>>
>> The idea that proof of stake is not permissionless is completely invalid.
>> It pains me to see such an argument here. Perhaps we can come to an
>> agreement by being more specific. I'd like to propose the following:
>>
>> Premise: There is a healthy exchange market for PoS Coin X with tens of
>> thousands of participants bidding to buy and sell the coin for other
>> currencies on the market.
>>
>> If the premise above is true, then there is no significant permission
>> needed to enter the market for minting blocks for PoS Coin X. If you make a
>> bid on someone's coins and they don't like you and refuse, you can move on
>> to any one of the other tens of thousands of people in that marketplace.
>> Would you agree, Cloud Strife, that this situation couldn't be considered
>> "permissioned"?
>>
>> If not, consider that participation in *any* decentralized system
>> requires the permission of at least one user in that system. If there are
>> thousands of bitcoin public nodes, you require the permission of at least
>> one of them to participate in bitcoin. No one considers bitcoin
>> "permissioned" because of this. Do you agree?
>>
>> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Barrier to entry in PoW is matter for hardware and energy is
>>> permissionless and exist all over the universe, permissionless cost which
>>> exists for everyone no matter who because it's unforgeable.
>>>
>>> Barrier to entry in PoS is being given permission by the previous owner
>>> of a token for you to have it via transfer or sale, both choices they never
>>> have to make since there are no continuous costs with producing blocks
>>> forcing it. A permission is an infinitely high barrier to entry if the
>>> previous owner, like the premining party, refuses to give up the token they
>>> control.
>>>
>>> You're skipping the part where you depend on a permission of a central
>>> party in control of the authority token before you can produce blocks on
>>> your rasberry Pi.
>>>
>>> Proof of stake is not in any possible way relevant to permissionless
>>> protocols, and thus not possibly relevant to decentralized protocols where
>>> control must be distributed to independent (i.e. permissionless) parties.
>>>
>>> There's nothing of relevance to discuss and this has been figured out
>>> long long ago.
>>>
>>>
>>> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>>>
>>>
>>> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>>>
>>>
>>>
>>>
>>> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>>
>>>> @Lloyd wrote:
>>>>
>>>> Of course in reality no one wants to keep their coin holding keys
>>>>> online so in Alogorand you can authorize a set of "participation keys"[1]
>>>>> that will be used to create blocks on your coin holding key's behalf.
>>>>> Hopefully you've spotted the problem.
>>>>> You can send your participation keys to any malicious party with a
>>>>> nice website (see random example [2]) offering you a good return.
>>>>> Damn it's still Proof-of-SquareSpace!
>>>>>
>>>>
>>>> I believe we are talking about a comparison to PoW, correct? If you
>>>> want to mine PoW, you need to buy expensive hardware and configure it to
>>>> work, and wait a long time to get any return by solo mining. Or you can
>>>> join a mining pool, which might use your hashing power for nefarious
>>>> purposes. Or you might skip the hardware all together and fall for some
>>>> "cloud mining" scheme with a pretty website and a high rate of advertised
>>>> return. So as you can see, Proof-of-SquareSpace exists in PoW as well!
>>>>
>>>> The PoS equivalent of buying mining hardware is setting up your own
>>>> validator and not outsourcing that to anyone else. So both PoW and PoS have
>>>> the professional/expert way of participating, and the fraud-prone, amateur
>>>> way of participating. The only difference is, with PoS the
>>>> professional/expert way is accessible to anyone with a raspberry Pi and a
>>>> web connection, which is a much lower barrier to entry than PoW.
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 8821 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-24 0:14 ` Billy Tetrud
@ 2021-06-24 0:37 ` Keagan McClelland
2021-06-24 17:34 ` yanmaani
1 sibling, 0 replies; 67+ messages in thread
From: Keagan McClelland @ 2021-06-24 0:37 UTC (permalink / raw)
To: Billy Tetrud; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 6975 bytes --]
> That is in fact true of Proof of Work as well. If a colluding coalition
of miners with more than 50% of the hashrate want to censor transactions,
they absolutely can do that by orphaning blocks that contain transactions
they want to censor. This is not different in proof of stake.
This power does not translate into them being able to block your
acquisition of hashpower itself, a property extremely different than in
proof of stake.
On Wed, Jun 23, 2021 at 6:14 PM Billy Tetrud <billy.tetrud@gmail.com> wrote:
> > This is not true in a Proof of Work system and this difference
> absolutely should not be trivialized.
>
> That is in fact true of Proof of Work as well. If a colluding coalition of
> miners with more than 50% of the hashrate want to censor transactions, they
> absolutely can do that by orphaning blocks that contain transactions
> they want to censor. This is not different in proof of stake.
>
> On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland <
> keagan.mcclelland@gmail.com> wrote:
>
>> > Premise: There is a healthy exchange market for PoS Coin X with tens of
>> thousands of participants bidding to buy and sell the coin for other
>> currencies on the market.
>>
>> The difference here though is that Proof of Stake allows the quorum of
>> coin holders to block the exchange of said coins if they are going to a
>> particular destination. Nothing requires these staking nodes to include
>> particular transactions into a block. With that in mind, it isn't just that
>> you require the permission of the person who sold you the coins, which I
>> can agree is a less dangerous form of permission, but you must also require
>> the permission of at least 51% of the coin holders to even receive those
>> coins in the first place. This is not true in a Proof of Work system and
>> this difference absolutely should not be trivialized.
>>
>> Keagan
>>
>> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> > Barrier to entry in PoS is being given permission by the previous
>>> owner of a token
>>>
>>> The idea that proof of stake is not permissionless is completely
>>> invalid. It pains me to see such an argument here. Perhaps we can come to
>>> an agreement by being more specific. I'd like to propose the following:
>>>
>>> Premise: There is a healthy exchange market for PoS Coin X with tens of
>>> thousands of participants bidding to buy and sell the coin for other
>>> currencies on the market.
>>>
>>> If the premise above is true, then there is no significant permission
>>> needed to enter the market for minting blocks for PoS Coin X. If you make a
>>> bid on someone's coins and they don't like you and refuse, you can move on
>>> to any one of the other tens of thousands of people in that marketplace.
>>> Would you agree, Cloud Strife, that this situation couldn't be considered
>>> "permissioned"?
>>>
>>> If not, consider that participation in *any* decentralized system
>>> requires the permission of at least one user in that system. If there are
>>> thousands of bitcoin public nodes, you require the permission of at least
>>> one of them to participate in bitcoin. No one considers bitcoin
>>> "permissioned" because of this. Do you agree?
>>>
>>> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>> Barrier to entry in PoW is matter for hardware and energy is
>>>> permissionless and exist all over the universe, permissionless cost which
>>>> exists for everyone no matter who because it's unforgeable.
>>>>
>>>> Barrier to entry in PoS is being given permission by the previous owner
>>>> of a token for you to have it via transfer or sale, both choices they never
>>>> have to make since there are no continuous costs with producing blocks
>>>> forcing it. A permission is an infinitely high barrier to entry if the
>>>> previous owner, like the premining party, refuses to give up the token they
>>>> control.
>>>>
>>>> You're skipping the part where you depend on a permission of a central
>>>> party in control of the authority token before you can produce blocks on
>>>> your rasberry Pi.
>>>>
>>>> Proof of stake is not in any possible way relevant to permissionless
>>>> protocols, and thus not possibly relevant to decentralized protocols where
>>>> control must be distributed to independent (i.e. permissionless) parties.
>>>>
>>>> There's nothing of relevance to discuss and this has been figured out
>>>> long long ago.
>>>>
>>>>
>>>> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>>>>
>>>>
>>>> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
>>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>
>>>>>
>>>>> @Lloyd wrote:
>>>>>
>>>>> Of course in reality no one wants to keep their coin holding keys
>>>>>> online so in Alogorand you can authorize a set of "participation keys"[1]
>>>>>> that will be used to create blocks on your coin holding key's behalf.
>>>>>> Hopefully you've spotted the problem.
>>>>>> You can send your participation keys to any malicious party with a
>>>>>> nice website (see random example [2]) offering you a good return.
>>>>>> Damn it's still Proof-of-SquareSpace!
>>>>>>
>>>>>
>>>>> I believe we are talking about a comparison to PoW, correct? If you
>>>>> want to mine PoW, you need to buy expensive hardware and configure it to
>>>>> work, and wait a long time to get any return by solo mining. Or you can
>>>>> join a mining pool, which might use your hashing power for nefarious
>>>>> purposes. Or you might skip the hardware all together and fall for some
>>>>> "cloud mining" scheme with a pretty website and a high rate of advertised
>>>>> return. So as you can see, Proof-of-SquareSpace exists in PoW as well!
>>>>>
>>>>> The PoS equivalent of buying mining hardware is setting up your own
>>>>> validator and not outsourcing that to anyone else. So both PoW and PoS have
>>>>> the professional/expert way of participating, and the fraud-prone, amateur
>>>>> way of participating. The only difference is, with PoS the
>>>>> professional/expert way is accessible to anyone with a raspberry Pi and a
>>>>> web connection, which is a much lower barrier to entry than PoW.
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
[-- Attachment #2: Type: text/html, Size: 9664 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-24 0:14 ` Billy Tetrud
2021-06-24 0:37 ` Keagan McClelland
@ 2021-06-24 17:34 ` yanmaani
2021-06-24 21:50 ` Erik Aronesty
1 sibling, 1 reply; 67+ messages in thread
From: yanmaani @ 2021-06-24 17:34 UTC (permalink / raw)
To: Billy Tetrud, Bitcoin Protocol Discussion
No, 51% of the *coin holders* can't do diddly squat. 51% of miners can,
but in PoW, that's a different set to the coin holders.
The basic problem with PoS, anyway, is that it's not actually a
consensus system ("weak subjectivity"). Either you allow long reorgs,
and then you open the door to long-range attacks, or you don't, and then
you're not guaranteed that all nodes agree on the state of the chain,
which was the purpose of the system to begin with.
To put it more plainly: for PoS to work, you need a consensus on which
block was seen first. But if you had that, you could presumably apply
that method to determine which *transaction* was seen first, in which
case you could do away with the blockchain entirely. (Real-world
implementations of PoS, such that they are, do away with this
requirement, scrapping the global consensus on ordering in favor of
having each node decide for itself which block came first.)
In other words, even if you solved all the incentive problems, the fact
remains that PoS is not suitable for use as a consensus system, because
it is constitutionally incapable of producing a consensus.
On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
>> This is not true in a Proof of Work system and this difference
> absolutely should not be trivialized.
>
> That is in fact true of Proof of Work as well. If a colluding
> coalition of miners with more than 50% of the hashrate want to censor
> transactions, they absolutely can do that by orphaning blocks that
> contain transactions they want to censor. This is not different in
> proof of stake.
>
> On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> <keagan.mcclelland@gmail.com> wrote:
>
>>> Premise: There is a healthy exchange market for PoS Coin X with
>> tens of thousands of participants bidding to buy and sell the coin
>> for other currencies on the market.
>>
>> The difference here though is that Proof of Stake allows the quorum
>> of coin holders to block the exchange of said coins if they are
>> going to a particular destination. Nothing requires these staking
>> nodes to include particular transactions into a block. With that in
>> mind, it isn't just that you require the permission of the person
>> who sold you the coins, which I can agree is a less dangerous form
>> of permission, but you must also require the permission of at least
>> 51% of the coin holders to even receive those coins in the first
>> place. This is not true in a Proof of Work system and this
>> difference absolutely should not be trivialized.
>>
>> Keagan
>>
>> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Barrier to entry in PoS is being given permission by the previous
>> owner of a token
>>
>> The idea that proof of stake is not permissionless is completely
>> invalid. It pains me to see such an argument here. Perhaps we can
>> come to an agreement by being more specific. I'd like to propose the
>> following:
>>
>> Premise: There is a healthy exchange market for PoS Coin X with tens
>> of thousands of participants bidding to buy and sell the coin for
>> other currencies on the market.
>>
>> If the premise above is true, then there is no significant
>> permission needed to enter the market for minting blocks for PoS
>> Coin X. If you make a bid on someone's coins and they don't like you
>> and refuse, you can move on to any one of the other tens of
>> thousands of people in that marketplace. Would you agree, Cloud
>> Strife, that this situation couldn't be considered "permissioned"?
>>
>> If not, consider that participation in *any* decentralized system
>> requires the permission of at least one user in that system. If
>> there are thousands of bitcoin public nodes, you require the
>> permission of at least one of them to participate in bitcoin. No one
>> considers bitcoin "permissioned" because of this. Do you agree?
>>
>> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Barrier to entry in PoW is matter for hardware and energy is
>> permissionless and exist all over the universe, permissionless cost
>> which exists for everyone no matter who because it's unforgeable.
>>
>> Barrier to entry in PoS is being given permission by the previous
>> owner of a token for you to have it via transfer or sale, both
>> choices they never have to make since there are no continuous costs
>> with producing blocks forcing it. A permission is an infinitely high
>> barrier to entry if the previous owner, like the premining party,
>> refuses to give up the token they control.
>>
>> You're skipping the part where you depend on a permission of a
>> central party in control of the authority token before you can
>> produce blocks on your rasberry Pi.
>>
>> Proof of stake is not in any possible way relevant to permissionless
>> protocols, and thus not possibly relevant to decentralized protocols
>> where control must be distributed to independent (i.e.
>> permissionless) parties.
>>
>> There's nothing of relevance to discuss and this has been figured
>> out long long ago.
>>
>>
> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>>
>>
> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>>
>> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> @Lloyd wrote:
>>
>> Of course in reality no one wants to keep their coin holding keys
>> online so in Alogorand you can authorize a set of "participation
>> keys"[1] that will be used to create blocks on your coin holding
>> key's behalf.
>> Hopefully you've spotted the problem.
>> You can send your participation keys to any malicious party with a
>> nice website (see random example [2]) offering you a good return.
>> Damn it's still Proof-of-SquareSpace!
>>
>> I believe we are talking about a comparison to PoW, correct? If you
>> want to mine PoW, you need to buy expensive hardware and configure
>> it to work, and wait a long time to get any return by solo mining.
>> Or you can join a mining pool, which might use your hashing power
>> for nefarious purposes. Or you might skip the hardware all together
>> and fall for some "cloud mining" scheme with a pretty website and a
>> high rate of advertised return. So as you can see,
>> Proof-of-SquareSpace exists in PoW as well!
>>
>> The PoS equivalent of buying mining hardware is setting up your own
>> validator and not outsourcing that to anyone else. So both PoW and
>> PoS have the professional/expert way of participating, and the
>> fraud-prone, amateur way of participating. The only difference is,
>> with PoS the professional/expert way is accessible to anyone with a
>> raspberry Pi and a web connection, which is a much lower barrier to
>> entry than PoW. _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-24 17:34 ` yanmaani
@ 2021-06-24 21:50 ` Erik Aronesty
2021-06-25 0:29 ` yanmaani
0 siblings, 1 reply; 67+ messages in thread
From: Erik Aronesty @ 2021-06-24 21:50 UTC (permalink / raw)
To: yanmaani, Bitcoin Protocol Discussion; +Cc: Billy Tetrud
> PoS is not suitable for use as a consensus system, because
it is constitutionally incapable of producing a consensus.
true - but only for a system that is starting from nothing.
since bitcoin already exists, and we have a consensus, you can use
bitcoin's existing consensus to maintain that consensus using
references to prior state. and yes, you simply have to limit reorgs
to not go back before PoW was abandoned in favor of PoS/PoB (assuming
all incentive problems are solved).
ie: once you have uses PoW to bootstrap the system, you can "recycle" that work.
On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> No, 51% of the *coin holders* can't do diddly squat. 51% of miners can,
> but in PoW, that's a different set to the coin holders.
>
> The basic problem with PoS, anyway, is that it's not actually a
> consensus system ("weak subjectivity"). Either you allow long reorgs,
> and then you open the door to long-range attacks, or you don't, and then
> you're not guaranteed that all nodes agree on the state of the chain,
> which was the purpose of the system to begin with.
>
> To put it more plainly: for PoS to work, you need a consensus on which
> block was seen first. But if you had that, you could presumably apply
> that method to determine which *transaction* was seen first, in which
> case you could do away with the blockchain entirely. (Real-world
> implementations of PoS, such that they are, do away with this
> requirement, scrapping the global consensus on ordering in favor of
> having each node decide for itself which block came first.)
>
> In other words, even if you solved all the incentive problems, the fact
> remains that PoS is not suitable for use as a consensus system, because
> it is constitutionally incapable of producing a consensus.
>
> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
> >> This is not true in a Proof of Work system and this difference
> > absolutely should not be trivialized.
> >
> > That is in fact true of Proof of Work as well. If a colluding
> > coalition of miners with more than 50% of the hashrate want to censor
> > transactions, they absolutely can do that by orphaning blocks that
> > contain transactions they want to censor. This is not different in
> > proof of stake.
> >
> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> > <keagan.mcclelland@gmail.com> wrote:
> >
> >>> Premise: There is a healthy exchange market for PoS Coin X with
> >> tens of thousands of participants bidding to buy and sell the coin
> >> for other currencies on the market.
> >>
> >> The difference here though is that Proof of Stake allows the quorum
> >> of coin holders to block the exchange of said coins if they are
> >> going to a particular destination. Nothing requires these staking
> >> nodes to include particular transactions into a block. With that in
> >> mind, it isn't just that you require the permission of the person
> >> who sold you the coins, which I can agree is a less dangerous form
> >> of permission, but you must also require the permission of at least
> >> 51% of the coin holders to even receive those coins in the first
> >> place. This is not true in a Proof of Work system and this
> >> difference absolutely should not be trivialized.
> >>
> >> Keagan
> >>
> >> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >>> Barrier to entry in PoS is being given permission by the previous
> >> owner of a token
> >>
> >> The idea that proof of stake is not permissionless is completely
> >> invalid. It pains me to see such an argument here. Perhaps we can
> >> come to an agreement by being more specific. I'd like to propose the
> >> following:
> >>
> >> Premise: There is a healthy exchange market for PoS Coin X with tens
> >> of thousands of participants bidding to buy and sell the coin for
> >> other currencies on the market.
> >>
> >> If the premise above is true, then there is no significant
> >> permission needed to enter the market for minting blocks for PoS
> >> Coin X. If you make a bid on someone's coins and they don't like you
> >> and refuse, you can move on to any one of the other tens of
> >> thousands of people in that marketplace. Would you agree, Cloud
> >> Strife, that this situation couldn't be considered "permissioned"?
> >>
> >> If not, consider that participation in *any* decentralized system
> >> requires the permission of at least one user in that system. If
> >> there are thousands of bitcoin public nodes, you require the
> >> permission of at least one of them to participate in bitcoin. No one
> >> considers bitcoin "permissioned" because of this. Do you agree?
> >>
> >> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >> Barrier to entry in PoW is matter for hardware and energy is
> >> permissionless and exist all over the universe, permissionless cost
> >> which exists for everyone no matter who because it's unforgeable.
> >>
> >> Barrier to entry in PoS is being given permission by the previous
> >> owner of a token for you to have it via transfer or sale, both
> >> choices they never have to make since there are no continuous costs
> >> with producing blocks forcing it. A permission is an infinitely high
> >> barrier to entry if the previous owner, like the premining party,
> >> refuses to give up the token they control.
> >>
> >> You're skipping the part where you depend on a permission of a
> >> central party in control of the authority token before you can
> >> produce blocks on your rasberry Pi.
> >>
> >> Proof of stake is not in any possible way relevant to permissionless
> >> protocols, and thus not possibly relevant to decentralized protocols
> >> where control must be distributed to independent (i.e.
> >> permissionless) parties.
> >>
> >> There's nothing of relevance to discuss and this has been figured
> >> out long long ago.
> >>
> >>
> > https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
> >>
> >>
> > https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
> >>
> >> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev
> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >> @Lloyd wrote:
> >>
> >> Of course in reality no one wants to keep their coin holding keys
> >> online so in Alogorand you can authorize a set of "participation
> >> keys"[1] that will be used to create blocks on your coin holding
> >> key's behalf.
> >> Hopefully you've spotted the problem.
> >> You can send your participation keys to any malicious party with a
> >> nice website (see random example [2]) offering you a good return.
> >> Damn it's still Proof-of-SquareSpace!
> >>
> >> I believe we are talking about a comparison to PoW, correct? If you
> >> want to mine PoW, you need to buy expensive hardware and configure
> >> it to work, and wait a long time to get any return by solo mining.
> >> Or you can join a mining pool, which might use your hashing power
> >> for nefarious purposes. Or you might skip the hardware all together
> >> and fall for some "cloud mining" scheme with a pretty website and a
> >> high rate of advertised return. So as you can see,
> >> Proof-of-SquareSpace exists in PoW as well!
> >>
> >> The PoS equivalent of buying mining hardware is setting up your own
> >> validator and not outsourcing that to anyone else. So both PoW and
> >> PoS have the professional/expert way of participating, and the
> >> fraud-prone, amateur way of participating. The only difference is,
> >> with PoS the professional/expert way is accessible to anyone with a
> >> raspberry Pi and a web connection, which is a much lower barrier to
> >> entry than PoW. _______________________________________________
> >> bitcoin-dev mailing list
> >> bitcoin-dev@lists.linuxfoundation.org
> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-24 21:50 ` Erik Aronesty
@ 2021-06-25 0:29 ` yanmaani
2021-06-25 16:08 ` Ruben Somsen
0 siblings, 1 reply; 67+ messages in thread
From: yanmaani @ 2021-06-25 0:29 UTC (permalink / raw)
To: Erik Aronesty; +Cc: Bitcoin Protocol Discussion, Billy Tetrud
No, that's not how it works.
PoS is constitutionally incapable of producing any further consensus
from its starting point. If you start out by hardcoding the bitcoin
ledger state at June 1, 2021, then your PoS system will be unable to
reach a global consensus as to what the state was on June 2, 2021.
To get global consensus in PoS, you have to know which block came first.
To reach a consensus on which block was first, you need to solve the
timestamp problem. And to solve the timestamp problem, you need a
consensus system. You'll notice that at no point does PoS provide such a
consensus system.
Implementations of PoS sacrifice global consensus for 'weak
subjectivity', meaning that each node has its own notion of when a
certain block arrived. Astute observers will note that 'each node has
its own notion of what happened' differs somewhat from 'all nodes agree
on what happened', and that only one of these is a good description of
what is commonly known as 'consensus'.
Maybe a simpler way of looking at it is from the coder's perspective:
how do you implement IBD? In PoW, the "longest chain" rule is used -
"Nodes can leave and rejoin the network at will, accepting the
proof-of-work chain as proof of what happened while they were gone.".
Does PoS have this property?
On 2021-06-24 21:50, Erik Aronesty wrote:
>> PoS is not suitable for use as a consensus system, because
> it is constitutionally incapable of producing a consensus.
>
> true - but only for a system that is starting from nothing.
>
> since bitcoin already exists, and we have a consensus, you can use
> bitcoin's existing consensus to maintain that consensus using
> references to prior state. and yes, you simply have to limit reorgs
> to not go back before PoW was abandoned in favor of PoS/PoB (assuming
> all incentive problems are solved).
>
> ie: once you have uses PoW to bootstrap the system, you can "recycle"
> that work.
>
> On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> No, 51% of the *coin holders* can't do diddly squat. 51% of miners
>> can,
>> but in PoW, that's a different set to the coin holders.
>>
>> The basic problem with PoS, anyway, is that it's not actually a
>> consensus system ("weak subjectivity"). Either you allow long reorgs,
>> and then you open the door to long-range attacks, or you don't, and
>> then
>> you're not guaranteed that all nodes agree on the state of the chain,
>> which was the purpose of the system to begin with.
>>
>> To put it more plainly: for PoS to work, you need a consensus on which
>> block was seen first. But if you had that, you could presumably apply
>> that method to determine which *transaction* was seen first, in which
>> case you could do away with the blockchain entirely. (Real-world
>> implementations of PoS, such that they are, do away with this
>> requirement, scrapping the global consensus on ordering in favor of
>> having each node decide for itself which block came first.)
>>
>> In other words, even if you solved all the incentive problems, the
>> fact
>> remains that PoS is not suitable for use as a consensus system,
>> because
>> it is constitutionally incapable of producing a consensus.
>>
>> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
>> >> This is not true in a Proof of Work system and this difference
>> > absolutely should not be trivialized.
>> >
>> > That is in fact true of Proof of Work as well. If a colluding
>> > coalition of miners with more than 50% of the hashrate want to censor
>> > transactions, they absolutely can do that by orphaning blocks that
>> > contain transactions they want to censor. This is not different in
>> > proof of stake.
>> >
>> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
>> > <keagan.mcclelland@gmail.com> wrote:
>> >
>> >>> Premise: There is a healthy exchange market for PoS Coin X with
>> >> tens of thousands of participants bidding to buy and sell the coin
>> >> for other currencies on the market.
>> >>
>> >> The difference here though is that Proof of Stake allows the quorum
>> >> of coin holders to block the exchange of said coins if they are
>> >> going to a particular destination. Nothing requires these staking
>> >> nodes to include particular transactions into a block. With that in
>> >> mind, it isn't just that you require the permission of the person
>> >> who sold you the coins, which I can agree is a less dangerous form
>> >> of permission, but you must also require the permission of at least
>> >> 51% of the coin holders to even receive those coins in the first
>> >> place. This is not true in a Proof of Work system and this
>> >> difference absolutely should not be trivialized.
>> >>
>> >> Keagan
>> >>
>> >> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >>
>> >>> Barrier to entry in PoS is being given permission by the previous
>> >> owner of a token
>> >>
>> >> The idea that proof of stake is not permissionless is completely
>> >> invalid. It pains me to see such an argument here. Perhaps we can
>> >> come to an agreement by being more specific. I'd like to propose the
>> >> following:
>> >>
>> >> Premise: There is a healthy exchange market for PoS Coin X with tens
>> >> of thousands of participants bidding to buy and sell the coin for
>> >> other currencies on the market.
>> >>
>> >> If the premise above is true, then there is no significant
>> >> permission needed to enter the market for minting blocks for PoS
>> >> Coin X. If you make a bid on someone's coins and they don't like you
>> >> and refuse, you can move on to any one of the other tens of
>> >> thousands of people in that marketplace. Would you agree, Cloud
>> >> Strife, that this situation couldn't be considered "permissioned"?
>> >>
>> >> If not, consider that participation in *any* decentralized system
>> >> requires the permission of at least one user in that system. If
>> >> there are thousands of bitcoin public nodes, you require the
>> >> permission of at least one of them to participate in bitcoin. No one
>> >> considers bitcoin "permissioned" because of this. Do you agree?
>> >>
>> >> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >>
>> >> Barrier to entry in PoW is matter for hardware and energy is
>> >> permissionless and exist all over the universe, permissionless cost
>> >> which exists for everyone no matter who because it's unforgeable.
>> >>
>> >> Barrier to entry in PoS is being given permission by the previous
>> >> owner of a token for you to have it via transfer or sale, both
>> >> choices they never have to make since there are no continuous costs
>> >> with producing blocks forcing it. A permission is an infinitely high
>> >> barrier to entry if the previous owner, like the premining party,
>> >> refuses to give up the token they control.
>> >>
>> >> You're skipping the part where you depend on a permission of a
>> >> central party in control of the authority token before you can
>> >> produce blocks on your rasberry Pi.
>> >>
>> >> Proof of stake is not in any possible way relevant to permissionless
>> >> protocols, and thus not possibly relevant to decentralized protocols
>> >> where control must be distributed to independent (i.e.
>> >> permissionless) parties.
>> >>
>> >> There's nothing of relevance to discuss and this has been figured
>> >> out long long ago.
>> >>
>> >>
>> > https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>> >>
>> >>
>> > https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>> >>
>> >> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev
>> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >>
>> >> @Lloyd wrote:
>> >>
>> >> Of course in reality no one wants to keep their coin holding keys
>> >> online so in Alogorand you can authorize a set of "participation
>> >> keys"[1] that will be used to create blocks on your coin holding
>> >> key's behalf.
>> >> Hopefully you've spotted the problem.
>> >> You can send your participation keys to any malicious party with a
>> >> nice website (see random example [2]) offering you a good return.
>> >> Damn it's still Proof-of-SquareSpace!
>> >>
>> >> I believe we are talking about a comparison to PoW, correct? If you
>> >> want to mine PoW, you need to buy expensive hardware and configure
>> >> it to work, and wait a long time to get any return by solo mining.
>> >> Or you can join a mining pool, which might use your hashing power
>> >> for nefarious purposes. Or you might skip the hardware all together
>> >> and fall for some "cloud mining" scheme with a pretty website and a
>> >> high rate of advertised return. So as you can see,
>> >> Proof-of-SquareSpace exists in PoW as well!
>> >>
>> >> The PoS equivalent of buying mining hardware is setting up your own
>> >> validator and not outsourcing that to anyone else. So both PoW and
>> >> PoS have the professional/expert way of participating, and the
>> >> fraud-prone, amateur way of participating. The only difference is,
>> >> with PoS the professional/expert way is accessible to anyone with a
>> >> raspberry Pi and a web connection, which is a much lower barrier to
>> >> entry than PoW. _______________________________________________
>> >> bitcoin-dev mailing list
>> >> bitcoin-dev@lists.linuxfoundation.org
>> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> > _______________________________________________
>> > bitcoin-dev mailing list
>> > bitcoin-dev@lists.linuxfoundation.org
>> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> > _______________________________________________
>> > bitcoin-dev mailing list
>> > bitcoin-dev@lists.linuxfoundation.org
>> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> > _______________________________________________
>> > bitcoin-dev mailing list
>> > bitcoin-dev@lists.linuxfoundation.org
>> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
2021-06-25 0:29 ` yanmaani
@ 2021-06-25 16:08 ` Ruben Somsen
[not found] ` <MN2PR10MB4030EBD14EF82E29CFEDD00FB1069@MN2PR10MB4030.namprd10.prod.outlook.com>
0 siblings, 1 reply; 67+ messages in thread
From: Ruben Somsen @ 2021-06-25 16:08 UTC (permalink / raw)
To: Bitcoin Protocol Discussion; +Cc: Billy Tetrud
[-- Attachment #1: Type: text/plain, Size: 11429 bytes --]
Hi all,
Thanks for the lively discussion. On behalf of the bitcoin-dev moderators
and with the readers of this mailing list in mind, we'd like to suggest
finishing up this discussion. Of course there should be some room for
exploring fringe ideas, but it should not dominate the mailing list either.
Fun as it may be, perhaps it's time to get back to focusing on the topics
that are more directly relevant to Bitcoin.
Cheers,
Ruben
On Fri, Jun 25, 2021 at 9:29 AM yanmaani--- via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> No, that's not how it works.
>
> PoS is constitutionally incapable of producing any further consensus
> from its starting point. If you start out by hardcoding the bitcoin
> ledger state at June 1, 2021, then your PoS system will be unable to
> reach a global consensus as to what the state was on June 2, 2021.
>
> To get global consensus in PoS, you have to know which block came first.
> To reach a consensus on which block was first, you need to solve the
> timestamp problem. And to solve the timestamp problem, you need a
> consensus system. You'll notice that at no point does PoS provide such a
> consensus system.
>
> Implementations of PoS sacrifice global consensus for 'weak
> subjectivity', meaning that each node has its own notion of when a
> certain block arrived. Astute observers will note that 'each node has
> its own notion of what happened' differs somewhat from 'all nodes agree
> on what happened', and that only one of these is a good description of
> what is commonly known as 'consensus'.
>
> Maybe a simpler way of looking at it is from the coder's perspective:
> how do you implement IBD? In PoW, the "longest chain" rule is used -
> "Nodes can leave and rejoin the network at will, accepting the
> proof-of-work chain as proof of what happened while they were gone.".
> Does PoS have this property?
>
> On 2021-06-24 21:50, Erik Aronesty wrote:
> >> PoS is not suitable for use as a consensus system, because
> > it is constitutionally incapable of producing a consensus.
> >
> > true - but only for a system that is starting from nothing.
> >
> > since bitcoin already exists, and we have a consensus, you can use
> > bitcoin's existing consensus to maintain that consensus using
> > references to prior state. and yes, you simply have to limit reorgs
> > to not go back before PoW was abandoned in favor of PoS/PoB (assuming
> > all incentive problems are solved).
> >
> > ie: once you have uses PoW to bootstrap the system, you can "recycle"
> > that work.
> >
> > On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
> > <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >> No, 51% of the *coin holders* can't do diddly squat. 51% of miners
> >> can,
> >> but in PoW, that's a different set to the coin holders.
> >>
> >> The basic problem with PoS, anyway, is that it's not actually a
> >> consensus system ("weak subjectivity"). Either you allow long reorgs,
> >> and then you open the door to long-range attacks, or you don't, and
> >> then
> >> you're not guaranteed that all nodes agree on the state of the chain,
> >> which was the purpose of the system to begin with.
> >>
> >> To put it more plainly: for PoS to work, you need a consensus on which
> >> block was seen first. But if you had that, you could presumably apply
> >> that method to determine which *transaction* was seen first, in which
> >> case you could do away with the blockchain entirely. (Real-world
> >> implementations of PoS, such that they are, do away with this
> >> requirement, scrapping the global consensus on ordering in favor of
> >> having each node decide for itself which block came first.)
> >>
> >> In other words, even if you solved all the incentive problems, the
> >> fact
> >> remains that PoS is not suitable for use as a consensus system,
> >> because
> >> it is constitutionally incapable of producing a consensus.
> >>
> >> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
> >> >> This is not true in a Proof of Work system and this difference
> >> > absolutely should not be trivialized.
> >> >
> >> > That is in fact true of Proof of Work as well. If a colluding
> >> > coalition of miners with more than 50% of the hashrate want to censor
> >> > transactions, they absolutely can do that by orphaning blocks that
> >> > contain transactions they want to censor. This is not different in
> >> > proof of stake.
> >> >
> >> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> >> > <keagan.mcclelland@gmail.com> wrote:
> >> >
> >> >>> Premise: There is a healthy exchange market for PoS Coin X with
> >> >> tens of thousands of participants bidding to buy and sell the coin
> >> >> for other currencies on the market.
> >> >>
> >> >> The difference here though is that Proof of Stake allows the quorum
> >> >> of coin holders to block the exchange of said coins if they are
> >> >> going to a particular destination. Nothing requires these staking
> >> >> nodes to include particular transactions into a block. With that in
> >> >> mind, it isn't just that you require the permission of the person
> >> >> who sold you the coins, which I can agree is a less dangerous form
> >> >> of permission, but you must also require the permission of at least
> >> >> 51% of the coin holders to even receive those coins in the first
> >> >> place. This is not true in a Proof of Work system and this
> >> >> difference absolutely should not be trivialized.
> >> >>
> >> >> Keagan
> >> >>
> >> >> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >>> Barrier to entry in PoS is being given permission by the previous
> >> >> owner of a token
> >> >>
> >> >> The idea that proof of stake is not permissionless is completely
> >> >> invalid. It pains me to see such an argument here. Perhaps we can
> >> >> come to an agreement by being more specific. I'd like to propose the
> >> >> following:
> >> >>
> >> >> Premise: There is a healthy exchange market for PoS Coin X with tens
> >> >> of thousands of participants bidding to buy and sell the coin for
> >> >> other currencies on the market.
> >> >>
> >> >> If the premise above is true, then there is no significant
> >> >> permission needed to enter the market for minting blocks for PoS
> >> >> Coin X. If you make a bid on someone's coins and they don't like you
> >> >> and refuse, you can move on to any one of the other tens of
> >> >> thousands of people in that marketplace. Would you agree, Cloud
> >> >> Strife, that this situation couldn't be considered "permissioned"?
> >> >>
> >> >> If not, consider that participation in *any* decentralized system
> >> >> requires the permission of at least one user in that system. If
> >> >> there are thousands of bitcoin public nodes, you require the
> >> >> permission of at least one of them to participate in bitcoin. No one
> >> >> considers bitcoin "permissioned" because of this. Do you agree?
> >> >>
> >> >> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >> Barrier to entry in PoW is matter for hardware and energy is
> >> >> permissionless and exist all over the universe, permissionless cost
> >> >> which exists for everyone no matter who because it's unforgeable.
> >> >>
> >> >> Barrier to entry in PoS is being given permission by the previous
> >> >> owner of a token for you to have it via transfer or sale, both
> >> >> choices they never have to make since there are no continuous costs
> >> >> with producing blocks forcing it. A permission is an infinitely high
> >> >> barrier to entry if the previous owner, like the premining party,
> >> >> refuses to give up the token they control.
> >> >>
> >> >> You're skipping the part where you depend on a permission of a
> >> >> central party in control of the authority token before you can
> >> >> produce blocks on your rasberry Pi.
> >> >>
> >> >> Proof of stake is not in any possible way relevant to permissionless
> >> >> protocols, and thus not possibly relevant to decentralized protocols
> >> >> where control must be distributed to independent (i.e.
> >> >> permissionless) parties.
> >> >>
> >> >> There's nothing of relevance to discuss and this has been figured
> >> >> out long long ago.
> >> >>
> >> >>
> >> >
> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
> >> >>
> >> >>
> >> >
> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
> >> >>
> >> >> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >> @Lloyd wrote:
> >> >>
> >> >> Of course in reality no one wants to keep their coin holding keys
> >> >> online so in Alogorand you can authorize a set of "participation
> >> >> keys"[1] that will be used to create blocks on your coin holding
> >> >> key's behalf.
> >> >> Hopefully you've spotted the problem.
> >> >> You can send your participation keys to any malicious party with a
> >> >> nice website (see random example [2]) offering you a good return.
> >> >> Damn it's still Proof-of-SquareSpace!
> >> >>
> >> >> I believe we are talking about a comparison to PoW, correct? If you
> >> >> want to mine PoW, you need to buy expensive hardware and configure
> >> >> it to work, and wait a long time to get any return by solo mining.
> >> >> Or you can join a mining pool, which might use your hashing power
> >> >> for nefarious purposes. Or you might skip the hardware all together
> >> >> and fall for some "cloud mining" scheme with a pretty website and a
> >> >> high rate of advertised return. So as you can see,
> >> >> Proof-of-SquareSpace exists in PoW as well!
> >> >>
> >> >> The PoS equivalent of buying mining hardware is setting up your own
> >> >> validator and not outsourcing that to anyone else. So both PoW and
> >> >> PoS have the professional/expert way of participating, and the
> >> >> fraud-prone, amateur way of participating. The only difference is,
> >> >> with PoS the professional/expert way is accessible to anyone with a
> >> >> raspberry Pi and a web connection, which is a much lower barrier to
> >> >> entry than PoW. _______________________________________________
> >> >> bitcoin-dev mailing list
> >> >> bitcoin-dev@lists.linuxfoundation.org
> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> _______________________________________________
> >> bitcoin-dev mailing list
> >> bitcoin-dev@lists.linuxfoundation.org
> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 16150 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
[not found] ` <MN2PR10MB4030EBD14EF82E29CFEDD00FB1069@MN2PR10MB4030.namprd10.prod.outlook.com>
@ 2021-06-26 16:26 ` Billy Tetrud
0 siblings, 0 replies; 67+ messages in thread
From: Billy Tetrud @ 2021-06-26 16:26 UTC (permalink / raw)
To: greg m; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 11888 bytes --]
I've created a thread on reddit where we can continue the conversation:
https://www.reddit.com/r/BitcoinDiscussion/comments/o8dvlo/bitcoindev_opinion_on_proof_of_stake_in_future/
On Fri, Jun 25, 2021 at 9:59 AM greg m <greg_not_so@hotmail.com> wrote:
> Where do we go from here? reddit?
>
> Happy Friday everyone!
> gm
>
> On Jun 25, 2021 12:08, Ruben Somsen via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hi all,
>
> Thanks for the lively discussion. On behalf of the bitcoin-dev moderators
> and with the readers of this mailing list in mind, we'd like to suggest
> finishing up this discussion. Of course there should be some room for
> exploring fringe ideas, but it should not dominate the mailing list either.
> Fun as it may be, perhaps it's time to get back to focusing on the topics
> that are more directly relevant to Bitcoin.
>
> Cheers,
> Ruben
>
> On Fri, Jun 25, 2021 at 9:29 AM yanmaani--- via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> No, that's not how it works.
>
> PoS is constitutionally incapable of producing any further consensus
> from its starting point. If you start out by hardcoding the bitcoin
> ledger state at June 1, 2021, then your PoS system will be unable to
> reach a global consensus as to what the state was on June 2, 2021.
>
> To get global consensus in PoS, you have to know which block came first.
> To reach a consensus on which block was first, you need to solve the
> timestamp problem. And to solve the timestamp problem, you need a
> consensus system. You'll notice that at no point does PoS provide such a
> consensus system.
>
> Implementations of PoS sacrifice global consensus for 'weak
> subjectivity', meaning that each node has its own notion of when a
> certain block arrived. Astute observers will note that 'each node has
> its own notion of what happened' differs somewhat from 'all nodes agree
> on what happened', and that only one of these is a good description of
> what is commonly known as 'consensus'.
>
> Maybe a simpler way of looking at it is from the coder's perspective:
> how do you implement IBD? In PoW, the "longest chain" rule is used -
> "Nodes can leave and rejoin the network at will, accepting the
> proof-of-work chain as proof of what happened while they were gone.".
> Does PoS have this property?
>
> On 2021-06-24 21:50, Erik Aronesty wrote:
> >> PoS is not suitable for use as a consensus system, because
> > it is constitutionally incapable of producing a consensus.
> >
> > true - but only for a system that is starting from nothing.
> >
> > since bitcoin already exists, and we have a consensus, you can use
> > bitcoin's existing consensus to maintain that consensus using
> > references to prior state. and yes, you simply have to limit reorgs
> > to not go back before PoW was abandoned in favor of PoS/PoB (assuming
> > all incentive problems are solved).
> >
> > ie: once you have uses PoW to bootstrap the system, you can "recycle"
> > that work.
> >
> > On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
> > <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >>
> >> No, 51% of the *coin holders* can't do diddly squat. 51% of miners
> >> can,
> >> but in PoW, that's a different set to the coin holders.
> >>
> >> The basic problem with PoS, anyway, is that it's not actually a
> >> consensus system ("weak subjectivity"). Either you allow long reorgs,
> >> and then you open the door to long-range attacks, or you don't, and
> >> then
> >> you're not guaranteed that all nodes agree on the state of the chain,
> >> which was the purpose of the system to begin with.
> >>
> >> To put it more plainly: for PoS to work, you need a consensus on which
> >> block was seen first. But if you had that, you could presumably apply
> >> that method to determine which *transaction* was seen first, in which
> >> case you could do away with the blockchain entirely. (Real-world
> >> implementations of PoS, such that they are, do away with this
> >> requirement, scrapping the global consensus on ordering in favor of
> >> having each node decide for itself which block came first.)
> >>
> >> In other words, even if you solved all the incentive problems, the
> >> fact
> >> remains that PoS is not suitable for use as a consensus system,
> >> because
> >> it is constitutionally incapable of producing a consensus.
> >>
> >> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
> >> >> This is not true in a Proof of Work system and this difference
> >> > absolutely should not be trivialized.
> >> >
> >> > That is in fact true of Proof of Work as well. If a colluding
> >> > coalition of miners with more than 50% of the hashrate want to censor
> >> > transactions, they absolutely can do that by orphaning blocks that
> >> > contain transactions they want to censor. This is not different in
> >> > proof of stake.
> >> >
> >> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> >> > <keagan.mcclelland@gmail.com> wrote:
> >> >
> >> >>> Premise: There is a healthy exchange market for PoS Coin X with
> >> >> tens of thousands of participants bidding to buy and sell the coin
> >> >> for other currencies on the market.
> >> >>
> >> >> The difference here though is that Proof of Stake allows the quorum
> >> >> of coin holders to block the exchange of said coins if they are
> >> >> going to a particular destination. Nothing requires these staking
> >> >> nodes to include particular transactions into a block. With that in
> >> >> mind, it isn't just that you require the permission of the person
> >> >> who sold you the coins, which I can agree is a less dangerous form
> >> >> of permission, but you must also require the permission of at least
> >> >> 51% of the coin holders to even receive those coins in the first
> >> >> place. This is not true in a Proof of Work system and this
> >> >> difference absolutely should not be trivialized.
> >> >>
> >> >> Keagan
> >> >>
> >> >> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >>> Barrier to entry in PoS is being given permission by the previous
> >> >> owner of a token
> >> >>
> >> >> The idea that proof of stake is not permissionless is completely
> >> >> invalid. It pains me to see such an argument here. Perhaps we can
> >> >> come to an agreement by being more specific. I'd like to propose the
> >> >> following:
> >> >>
> >> >> Premise: There is a healthy exchange market for PoS Coin X with tens
> >> >> of thousands of participants bidding to buy and sell the coin for
> >> >> other currencies on the market.
> >> >>
> >> >> If the premise above is true, then there is no significant
> >> >> permission needed to enter the market for minting blocks for PoS
> >> >> Coin X. If you make a bid on someone's coins and they don't like you
> >> >> and refuse, you can move on to any one of the other tens of
> >> >> thousands of people in that marketplace. Would you agree, Cloud
> >> >> Strife, that this situation couldn't be considered "permissioned"?
> >> >>
> >> >> If not, consider that participation in *any* decentralized system
> >> >> requires the permission of at least one user in that system. If
> >> >> there are thousands of bitcoin public nodes, you require the
> >> >> permission of at least one of them to participate in bitcoin. No one
> >> >> considers bitcoin "permissioned" because of this. Do you agree?
> >> >>
> >> >> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >> Barrier to entry in PoW is matter for hardware and energy is
> >> >> permissionless and exist all over the universe, permissionless cost
> >> >> which exists for everyone no matter who because it's unforgeable.
> >> >>
> >> >> Barrier to entry in PoS is being given permission by the previous
> >> >> owner of a token for you to have it via transfer or sale, both
> >> >> choices they never have to make since there are no continuous costs
> >> >> with producing blocks forcing it. A permission is an infinitely high
> >> >> barrier to entry if the previous owner, like the premining party,
> >> >> refuses to give up the token they control.
> >> >>
> >> >> You're skipping the part where you depend on a permission of a
> >> >> central party in control of the authority token before you can
> >> >> produce blocks on your rasberry Pi.
> >> >>
> >> >> Proof of stake is not in any possible way relevant to permissionless
> >> >> protocols, and thus not possibly relevant to decentralized protocols
> >> >> where control must be distributed to independent (i.e.
> >> >> permissionless) parties.
> >> >>
> >> >> There's nothing of relevance to discuss and this has been figured
> >> >> out long long ago.
> >> >>
> >> >>
> >> >
> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
> >> >>
> >> >>
> >> >
> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
> >> >>
> >> >> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev
> >> >> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> >> >>
> >> >> @Lloyd wrote:
> >> >>
> >> >> Of course in reality no one wants to keep their coin holding keys
> >> >> online so in Alogorand you can authorize a set of "participation
> >> >> keys"[1] that will be used to create blocks on your coin holding
> >> >> key's behalf.
> >> >> Hopefully you've spotted the problem.
> >> >> You can send your participation keys to any malicious party with a
> >> >> nice website (see random example [2]) offering you a good return.
> >> >> Damn it's still Proof-of-SquareSpace!
> >> >>
> >> >> I believe we are talking about a comparison to PoW, correct? If you
> >> >> want to mine PoW, you need to buy expensive hardware and configure
> >> >> it to work, and wait a long time to get any return by solo mining.
> >> >> Or you can join a mining pool, which might use your hashing power
> >> >> for nefarious purposes. Or you might skip the hardware all together
> >> >> and fall for some "cloud mining" scheme with a pretty website and a
> >> >> high rate of advertised return. So as you can see,
> >> >> Proof-of-SquareSpace exists in PoW as well!
> >> >>
> >> >> The PoS equivalent of buying mining hardware is setting up your own
> >> >> validator and not outsourcing that to anyone else. So both PoW and
> >> >> PoS have the professional/expert way of participating, and the
> >> >> fraud-prone, amateur way of participating. The only difference is,
> >> >> with PoS the professional/expert way is accessible to anyone with a
> >> >> raspberry Pi and a web connection, which is a much lower barrier to
> >> >> entry than PoW. _______________________________________________
> >> >> bitcoin-dev mailing list
> >> >> bitcoin-dev@lists.linuxfoundation.org
> >> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> > _______________________________________________
> >> > bitcoin-dev mailing list
> >> > bitcoin-dev@lists.linuxfoundation.org
> >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >> _______________________________________________
> >> bitcoin-dev mailing list
> >> bitcoin-dev@lists.linuxfoundation.org
> >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
>
[-- Attachment #2: Type: text/html, Size: 17168 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
[not found] <mailman.100801.1624522329.32591.bitcoin-dev@lists.linuxfoundation.org>
@ 2021-06-24 8:59 ` Carlo Spiller
0 siblings, 0 replies; 67+ messages in thread
From: Carlo Spiller @ 2021-06-24 8:59 UTC (permalink / raw)
To: bitcoin-dev
The key difference here is that in PoS the seller of the coin might
still have a vested interest in the network, where in PoW the person you
aquire energy from to mine and mint has absolutely nothing to do with
the network. Anyone with power supply can sell it to you and has no
further interest in what you do with that power. If you don't find a
powersupply, you can build your own.
That is not generically true for PoS. If the seller is still staked with
more coins they hold, they are entrenched in the network and have
"permissioned" you to partake only for what they sold to you. Even
worse, if a super-majority decides to simply never sell, you cannot
aquire significant stake and participate in minting.
Am 24.06.21 um 10:12 schrieb bitcoin-dev-request@lists.linuxfoundation.org:
> Re: Opinion on proof of stake in future
Premise: There is a healthy exchange market for PoS Coin X with tens of
thousands of participants bidding to buy and sell the coin for other
currencies on the market.
If the premise above is true, then there is no significant permission
needed to enter the market for minting blocks for PoS Coin X. If you make a
bid on someone's coins and they don't like you and refuse, you can move on
to any one of the other tens of thousands of people in that marketplace.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [bitcoin-dev] Opinion on proof of stake in future
@ 2021-05-08 10:21 Prayank
0 siblings, 0 replies; 67+ messages in thread
From: Prayank @ 2021-05-08 10:21 UTC (permalink / raw)
To: satoshisingh; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 2073 bytes --]
My opinion:
1.I don't consider PoS to be a better consensus mechanism compared to PoW used in Bitcoin. So any proposal related to PoS in Bitcoin is not an improvement for me.
2.Bitcoin is a protocol for decentralized network that creates consensus without needing a central authority to provide trust. Bitcoin with PoS will be a protocol for a network that creates consensus based on bitcoin holdings.
3.Experiments with PoS can work in trust minimized applications that use Bitcoin or LN or Bitcoin sidechains. However, PoW works better for base layer or Bitcoin protocol.
4.Bitcoin protocol should not be changed based on mainstream media articles, new buzzwords or trends, altcoins, governments etc.
5.Everything involves trade-offs. Not everything needs to be online. Not everything needs to be on a chain of blocks. There are things that you would prefer to save in a spreadsheet offline or write on a paper. Similarly PoS is not the best consensus mechanism for a 'decentralized network' but it may work for projects(not decentralized) that want to use Bitcoin for few things.
6.Most of the Bitcoin users and devs consider PoW used in Bitcoin as the best consensus mechanism. Few people experimenting with PoS will result in another altcoin with nothing much to contribute in improving Bitcoin. I think there are better things to focus on and one of them is privacy.
Few things related to Bitcoin mining that I consider improvements:
-Stratum v2
-More countries started mining bitcoin recently
-Recycling ASIC heat: https://braiins.com/blog/green-innovation-in-bitcoin-mining-recycling-asic-heat
I would love to see people in India researching about creating better ASICs and more involved in Bitcoin mining.
Related links:
https://bitcoin.stackexchange.com/questions/95356/why-doesnt-bitcoin-migrate-to-proof-of-stake
https://download.wpsoftware.net/bitcoin/asic-faq.pdf (Andrew Poelstra)
https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806
--
Prayank
[-- Attachment #2: Type: text/html, Size: 3172 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
end of thread, other threads:[~2021-06-26 16:26 UTC | newest]
Thread overview: 67+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-07 17:17 [bitcoin-dev] Opinion on proof of stake in future SatoshiSingh
2021-05-07 23:04 ` Eric Voskuil
2021-05-08 14:33 ` Karl
2021-05-09 10:21 ` R E Broadley
2021-05-09 10:59 ` Karl
2021-05-07 23:19 ` Jeremy
2021-05-08 2:40 ` honest69abe
2021-05-08 14:42 ` Karl
2021-05-09 19:07 ` Cloud Strife
2021-05-08 13:44 ` Eric Martindale
2021-05-09 11:30 ` R E Broadley
2021-05-10 14:08 ` Erik Aronesty
2021-05-10 15:01 ` Keagan McClelland
2021-05-10 21:22 ` LORD HIS EXCELLENCY JAMES HRMH
2021-05-10 21:51 ` Jeremy
2021-05-17 16:58 ` Erik Aronesty
2021-05-18 7:06 ` ZmnSCPxj
2021-05-18 10:16 ` Zac Greenwood
2021-05-18 10:42 ` ZmnSCPxj
2021-05-18 14:02 ` Zac Greenwood
2021-05-18 18:52 ` Erik Aronesty
2021-05-19 14:07 ` Michael Dubrovsky
2021-05-19 15:30 ` Michael Dubrovsky
2021-05-21 0:04 ` Billy Tetrud
2021-05-21 9:42 ` vizeet srivastava
2021-05-21 20:57 ` Erik Aronesty
2021-05-21 21:45 ` Billy Tetrud
2021-05-23 3:41 ` Lloyd Fournier
2021-05-23 19:10 ` Billy Tetrud
2021-05-23 19:28 ` Billy Tetrud
2021-05-24 13:47 ` Erik Aronesty
2021-05-24 20:43 ` Billy Tetrud
2021-05-24 21:49 ` Erik Aronesty
2021-05-25 1:52 ` Billy Tetrud
2021-05-25 13:00 ` Erik Aronesty
2021-05-25 20:01 ` Billy Tetrud
2021-05-25 21:10 ` befreeandopen
2021-05-26 6:53 ` Billy Tetrud
2021-05-26 13:11 ` befreeandopen
2021-05-26 22:07 ` Erik Aronesty
2021-05-28 14:40 ` befreeandopen
2021-05-28 20:06 ` Erik Aronesty
2021-05-28 21:40 ` Billy Tetrud
2021-06-01 8:21 ` befreeandopen
2021-06-01 16:33 ` Erik Aronesty
2021-06-01 19:26 ` befreeandopen
2021-06-01 20:28 ` Erik Aronesty
2021-06-03 5:30 ` SatoshiSingh
2021-06-07 6:15 ` Billy Tetrud
2021-05-27 10:08 ` Billy Tetrud
2021-05-27 13:11 ` Erik Aronesty
2021-05-28 14:36 ` befreeandopen
2021-05-25 8:22 ` befreeandopen
2021-06-15 11:13 ` James MacWhyte
2021-06-17 1:48 ` Lloyd Fournier
2021-06-17 3:31 ` Cloud Strife
2021-06-22 17:45 ` Billy Tetrud
2021-06-23 18:14 ` Keagan McClelland
2021-06-24 0:14 ` Billy Tetrud
2021-06-24 0:37 ` Keagan McClelland
2021-06-24 17:34 ` yanmaani
2021-06-24 21:50 ` Erik Aronesty
2021-06-25 0:29 ` yanmaani
2021-06-25 16:08 ` Ruben Somsen
[not found] ` <MN2PR10MB4030EBD14EF82E29CFEDD00FB1069@MN2PR10MB4030.namprd10.prod.outlook.com>
2021-06-26 16:26 ` Billy Tetrud
2021-05-08 10:21 Prayank
[not found] <mailman.100801.1624522329.32591.bitcoin-dev@lists.linuxfoundation.org>
2021-06-24 8:59 ` Carlo Spiller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox