The Hive notices that you, Mr. Stone, do not seem to think that the POW protocol is a sustainable one and thus needs an update. There seem to be plausible arguments against POW. However, we have yet to see you state any detailed arguments against POS. We know one of them -- susceptibility to 51% attacks. What are some other issues that you see with POS?
Separately, won't coins that are POW just be able to switch their consensus protocol if it becomes a problem?
~ The Hive ~
I'm not ignoring your question. I'm just taking a while to think about it.
Thanks for keeping us informed. We figured you might be developing a response to it.
~ The Hive ~
Sorry for the long delay. I had an unexpected piece of real world work to deliver. One needs to pay the bills.
Proof of stake in its various flavours has the following problems.
Nothing at Stake Problem (fixed with delegated PoS)If a PoS chain forks, there is nothing stopping a user staking his/her coins on both chains.
Initial Distribution Problem (solved with hybrid PoW/PoS)Early purchasers of a coin will always be at an advantage over later investors as their coin balance directly contributes to the growth of their wealth. This advantage is confered to the early investor for as long as they own their stake. Initial coin distribution by PoW somewhat nullifies this.
Long Range Attack (theoretical)In theory, somebody with enough computational power could build an alternative blockchain starting from the very first block. Some implementations of PoS solve this by defining the maximum allowed depth of a branching point to a certain number of blocks in the past. NXT sets the value at 720 blocks/12 hours for example.
Bribe AttackIn this attack, an attacker attempts to double-spend his funds in the following way:
1. Buy some goods or services
2. Wait until the payment transaction is considered confirmed by the merchant
3. Announce a reward for building on top of a truncated blockchain that does not include the payment transaction. For example, if merchant waited for six confirmations, the attacker will start with the blockchain without the six latest blocks. The attacker may offer a larger reward for users that mint only on top of the attacker’s blockchain (without this, the attacker’s blockchain would never catch up to the correct one).
4. The attacker may continue paying bribes even when the lengths of their blockchain and the correct blockchain become equal in order to gain support of most stakeholders.
(Proof of Stake vs Proof of Work Whitepaper - Bitfury -
http://bitfury.com/content/5-white-papers-research/pos-vs-pow-1.0.2.pdf)
Coin Age Accumulation AttackOnly relevant to some PoS implementations. Peercoin famously suffered from this issue but now solved.
In some PoS implementations, coin age is used as the staking metric rather than wallet wealth. If there is no maximum coin age defined in the protocol then it is possible for enought time to lapse for the earliest investors to have enough accumulated coin age to overtake the rest of the network and receive 100% of staking reward.
Some of the above may not be feasible due to required investment size but early investors could be at a significant advantage if intentions are nefarious.
Delegated proof of stake has efectively solved shorter range attacks and the nothing at stake problem but there is no consistency in how PoS coins address these problems.
There are several active projects that use the earliest implementation of PoS that doesn't address any issues and several PoS projects that have implemented a variety of different fixes to problems with no consistency. This means that some of these solutions have not been tested on a significant scale to ensure that they stand up to scrutiny.
Due the large variety of issues that need to be solved (admittedly some are theoretical) I don't consider PoS to be cryptographically sound until a uniform approach to solving these issues has been implemented.
In short, Stonehedge thinks "close but no cigar".
Good summary of PoS, but I think it's important to distinguish between the distribution mechanism and the security mechanism.
PoS and PoWaste attempt to be both, and both fail spectacularly at security.
Pick whatever distribution method suits your goals, but let the overlay network handle the security. I've done the math publicly many times, it boils down to deterministic subsetting of nodes being
orders of magnitude more secure... and the code's already there and working, just currently gimped.